Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
Recently, a brand new scam hit YouTube subscribers in which they received messages purporting to be from famous YouTube personalities asking them to click on a link to claim a prize. Covered by the BBC, The Verge, and many more, the scam initially hit the news when famous YouTuber Philip DeFranco put out a new video that included a message warning his subscribers of the scam. However, RiskIQ’s data shows that this scam has been going on a lot longer, going all the way back to 2016.
These scams are lucrative for their operators, who monetize their campaigns by racking up referral clicks to online surveys from organizations that provide them with kickbacks. The following are other unique insights we gathered from RiskIQ’s web forensics data.
So how did this scam work? These threat actors leveraged a combination of clever impersonation techniques, which boosted the legitimacy of their messages and improved the likelihood that users would click their links, and the abuse of these two systems built into YouTube:
The first step is setting up a new YouTube account and making the displayed avatar and username identical to that of a famous YouTuber. In this example, we’ll show the impersonation of wildly popular YouTuber James Charles. On the left you can see the official account for James Charles and on the right is the fake impersonator:
Fig-1 Real and impersonating James Charles accounts side by side
Although you can see an obvious difference between the real and imposter accounts above, friend requests within YouTube contain very little information besides the name and avatar image, which as we mentioned above, can be faked.
Fig-2 Friend requests appear genuine
This type of impersonation works very well to get through the only barrier within YouTube for sending messages to other users: befriending users.
The next step in the scam is sending messages posing as the famous YouTuber. The message in this scam mentions a contest in which James Charles is “randomly selecting” a subscriber to give out a surprise gift. The message ends with a link which the threat actors hope the user clicks.
Here’s the message users were supposedly receiving from the James Charles impersonators:
Fig-3 Scammer message
Notice how YouTube’s messaging system also displays the username—in this case, the impersonated name—below the message, further enhancing the credibility of the scam.
The most remarkable aspect of this scam and the aspect that has garnered the most attention by the media is the scale with which this is happening. For criminals, the bar is incredibly low to begin this type of scam. They have their pick of the top accounts on YouTube and can impersonate these content creators en masse:
Fig-4 Multiple YouTube personalities were targeted
The links that the victim click comes in the form of a direct link to the scam website, at times put behind a shortlink service like Bit.ly or Twitter short links.
Once the user clicks the link, they are taken through a chain of shortlink services until they hit one of the malicious websites set up by the scammers. This particular scam campaign talks about giving away free iPhones, so the domains reflect that theme, e.g., iPhoneXfree.net and GetiPhoneXhere.com. Following the link, victims are presented with a page impersonating Apple:
Fig-5 Example of a fake prize
Clicking “Get it Now” takes the visitor through a “selection process” that requires the visitor to provide their name, address, country, and email address. After a fake progress bar “checks” this information, the victim is presented with a message that they were selected as a winner. They only have to verify a bit more information:
Fig-6 What ‘winners’ see next
What happens next is where the criminals make their money: referral links to fake surveys. Once a visitor clicks “verify now” they are taken to another website on which they have to complete a survey to verify that they are a real user:
Fig-7 This is where scammers make their money
Another variant of this campaign promises free gift cards instead of iPhones:
Fig-8 A scam variant
iPhones and gift cards are just two themes propagated by these scam campaigns, and the criminals might change the scam to redirect users to different scam surveys sometimes depending on geolocation or the organization they partnered with. However, all the scams lead to survey sites on which a user is promised a prize if they provide their personal information.
These surveys are what monetize the scam for the criminals. Once the visitors fill out the surveys, the organizations that collect this personal information give the scammers a flat-rate kick-back. Even if the kick-backs are tiny, these scammers fool enough users to finance their campaigns and then some.
To give an idea of the volume of visitors clicking on scam links, consider these statistics from the Bitly shortlink service. Please note that these are not all the accounts that were impersonated nor are these all the links the scammers used. Below is only a fraction of the entire campaign.
While the direct messages promoting fake contests got the attention of news outlets, the scammers used a variety of tactics to get their links in front of victims, also promoting albums and videos from fake accounts:
Fig-9 Another impersonation tactic
Across the internet, there are many ways criminals drive clicks to their scam links, but one theme persists for this campaign: impersonating famous YouTubers.
While this scam only recently got into the news, it has a very long history and is part of a campaign RiskIQ has been observing for years. We know this because the operators behind these scams don’t exactly have the best operational security.
A lot of times, these scammers leave their servers wide open, which helps us get more information about them. For instance, when we visited the index of the domain iPhoneXfree.net, which served the fake rewards page used on subpages in the YouTube impersonation scam, we were presented with the entire server contents. The best part? We see the exact timestamps of when they first started using the server behind this domain, which has had multiple domains pointing to it. Very clearly, we see they began using this server around September 18th, 2017.
But to give a better idea of the size of this scam operation you can look at one of the domains used in the scam pages. The domain bootstraplugin.com is associated with over 300 individual domains for this scam operation and was registered on January 17th of 2016, marking the starting point of the scam campaigns we have detailed in this blog.
The current YouTuber impersonation campaign is just one of the latest tricks they’re using to drive traffic. Over the years, they’ve employed many other tactics as well, claiming countless victims along the way.
During their multi-year campaigns, the criminals impersonated a lot of individuals and brands. The following table is just a small subsection of all the impersonated brands we observed from these threat actors:
The following indicators of compromise are associated with the infrastructure for this scam. We have not mapped every shortlink service and shortlink that were used during the campaign, but we do have the infrastructure behind them which includes the domains they use in their campaigns.
All the IOCs can be found in a public RiskIQ Community project as the list far exceeds our page limit. The project has guest access enabled; there is no need to register on our platform to obtain the information: https://community.riskiq.com/projects/ab0e70dc-c5e9-b973-2c3b-68354c32ed2c
Also, click here to find out how RiskIQ can help your organization detect social media accounts impersonating your brand, executives, and employees.
What’s in a #malvertisement? We found more #magecart and a 186% spike in drive-by delivery https://t.co/rsl9GGiRUZ
.@TechCrunch's @zackwhittaker found that thousands of MoviePass customer card numbers were exposed because a critical server was left unsecured. With @ydklijnsma and RiskIQ data in @passivetotal, he discovered the exposure began all the way back in May https://t.co/blde3p21dU
Can you spot the phish? In tomorrow's PassiveTotal Thursday, we’ll take a real-life #phishing page targeting a popular brand and break it down to show how it differs from the genuine. Register today: https://t.co/EP2q6On5vE #ThreatHunting
We're thrilled to welcome Dean Ćoza, who will lead our product and technology teams as RiskIQ Chief Product Officer. Read more about Dean's appointment here:
Check out the brand new @RiskIQ Threat Hunting course on @CybraryIT
Manage Your Attack Surface Management using the "Mark of the Web"
https://t.co/ZGDBGyecJr #cybersecurity #magecart #course #cybrary