Recently, a brand new scam hit YouTube subscribers in which they received messages purporting to be from famous YouTube personalities asking them to click on a link to claim a prize. Covered by the BBC, The Verge, and many more, the scam initially hit the news when famous YouTuber Philip DeFranco put out a new video that included a message warning his subscribers of the scam. However, RiskIQ’s data shows that this scam has been going on a lot longer, going all the way back to 2016.

These scams are lucrative for their operators, who monetize their campaigns by racking up referral clicks to online surveys from organizations that provide them with kickbacks. The following are other unique insights we gathered from RiskIQ’s web forensics data.

The Scam Rundown

So how did this scam work? These threat actors leveraged a combination of clever impersonation techniques, which boosted the legitimacy of their messages and improved the likelihood that users would click their links, and the abuse of these two systems built into YouTube:

• Display name versus account name: The name displayed on YouTube channels and YouTube accounts can be different from the actual account name, which threat actors exploit to impersonate accounts.
• Internal messaging system: Within YouTube, users can send friend requests to anyone on the platform. Once accepted, they can send that person direct messages.

Step 1: Impersonation & befriending

The first step is setting up a new YouTube account and making the displayed avatar and username identical to that of a famous YouTuber. In this example, we’ll show the impersonation of wildly popular YouTuber James Charles. On the left you can see the official account for James Charles and on the right is the fake impersonator:

Although you can see an obvious difference between the real and imposter accounts above, friend requests within YouTube contain very little information besides the name and avatar image, which as we mentioned above, can be faked.

This type of impersonation works very well to get through the only barrier within YouTube for sending messages to other users: befriending users.

Step 2: Sending the message

The next step in the scam is sending messages posing as the famous YouTuber. The message in this scam mentions a contest in which James Charles is “randomly selecting” a subscriber to give out a surprise gift. The message ends with a link which the threat actors hope the user clicks.

Here’s the message users were supposedly receiving from the James Charles impersonators:

Notice how YouTube’s messaging system also displays the username—in this case, the impersonated name—below the message, further enhancing the credibility of the scam.

The most remarkable aspect of this scam and the aspect that has garnered the most attention by the media is the scale with which this is happening. For criminals, the bar is incredibly low to begin this type of scam. They have their pick of the top accounts on YouTube and can impersonate these content creators en masse:

The links that the victim click comes in the form of a direct link to the scam website, at times put behind a shortlink service like Bit.ly or Twitter short links.

Step 3: The promise of a gift

Once the user clicks the link, they are taken through a chain of shortlink services until they hit one of the malicious websites set up by the scammers. This particular scam campaign talks about giving away free iPhones, so the domains reflect that theme, e.g., iPhoneXfree.net and GetiPhoneXhere.com. Following the link, victims are presented with a page impersonating Apple:

Clicking “Get it Now” takes the visitor through a “selection process” that requires the visitor to provide their name, address, country, and email address. After a fake progress bar “checks” this information, the victim is presented with a message that they were selected as a winner. They only have to verify a bit more information:

What happens next is where the criminals make their money: referral links to fake surveys. Once a visitor clicks “verify now” they are taken to another website on which they have to complete a survey to verify that they are a real user:

Another variant of this campaign promises free gift cards instead of iPhones:

iPhones and gift cards are just two themes propagated by these scam campaigns, and the criminals might change the scam to redirect users to different scam surveys sometimes depending on geolocation or the organization they partnered with. However, all the scams lead to survey sites on which a user is promised a prize if they provide their personal information.

These surveys are what monetize the scam for the criminals. Once the visitors fill out the surveys, the organizations that collect this personal information give the scammers a flat-rate kick-back. Even if the kick-backs are tiny, these scammers fool enough users to finance their campaigns and then some.

To give an idea of the volume of visitors clicking on scam links, consider these statistics from the Bitly shortlink service. Please note that these are not all the accounts that were impersonated nor are these all the links the scammers used. Below is only a fraction of the entire campaign.

YouTuber	Bitly link	Active since	Visits
The ACE Family	bit[.]ly/2FyE8Zd	January 13th, 2019	10.6K
Jeffreestar	bit[.]ly/2suz28x	January 17th, 2019	4.5K
ASMR Darling	bit[.]ly/2sEq9t3	January 20th, 2019	5.2K
Tati	bit[.]ly/2RBRYkj	January 18th, 2019	4.2K
MindofRez	bit[.]ly/2ST1hss	December 18th, 2018	900
Through Ryan’s Eyes	bit[.]ly/2EIFsOb	December 14th, 2018	25.7K
Philip DeFranco	bit[.]ly/2FuSXff	January 14th, 2019	20.7K

 

More than Direct Messages

While the direct messages promoting fake contests got the attention of news outlets, the scammers used a variety of tactics to get their links in front of victims, also promoting albums and videos from fake accounts:

Across the internet, there are many ways criminals drive clicks to their scam links, but one theme persists for this campaign: impersonating famous YouTubers.

History and Infrastructure

While this scam only recently got into the news, it has a very long history and is part of a campaign RiskIQ has been observing for years. We know this because the operators behind these scams don’t exactly have the best operational security.

A lot of times, these scammers leave their servers wide open, which helps us get more information about them. For instance, when we visited the index of the domain iPhoneXfree.net, which served the fake rewards page used on subpages in the YouTube impersonation scam, we were presented with the entire server contents. The best part? We see the exact timestamps of when they first started using the server behind this domain, which has had multiple domains pointing to it. Very clearly, we see they began using this server around September 18th, 2017.

But to give a better idea of the size of this scam operation you can look at one of the domains used in the scam pages. The domain bootstraplugin.com is associated with over 300 individual domains for this scam operation and was registered on January 17th of 2016, marking the starting point of the scam campaigns we have detailed in this blog.

The current YouTuber impersonation campaign is just one of the latest tricks they’re using to drive traffic. Over the years, they’ve employed many other tactics as well, claiming countless victims along the way.

Brand Impersonation

During their multi-year campaigns, the criminals impersonated a lot of individuals and brands. The following table is just a small subsection of all the impersonated brands we observed from these threat actors:

Brand	Example domains
Apple iPhone	Claimiphonex.win  freeiphone247.com
Giftcards (Xbox, Steam, iTunes, etc.)	giftcard-giveaway.club  giftcardgenerator.xyz
Grand Theft Auto 5	gta5livecash.com  gtamoneyhacker.com
Instagram	igfollowers.org instagramfreefollowers.com
Madden 2018	madden18tips.tk maddencoinsfree.com
Musically	musically-followers.co  musicallypromo.com
Nintendo	nintendooffer.com  nintendoserver.club
Playstation	psnetworkcodesgenerator.xyz psnfreecodes.info
Snapchat	snapchack.com snapfollows.site snappeek.pro
Twitter	twittapps.com twitterhack.top
Fortnite V-Bucks	vbucksgen.club v-bucksfree.us
WhatsApp	whatsapp-spy.com whatzspyapp.com
Sarah Reveals	sarahah-reveals.com sarahahreveals.website
Clash Royale	royalegenerator.net royalegems.top
Kylie Jenner	newkyliegift.club kyliecosmetics.host
Samsung Galaxy	galaxys8giveaway.com galaxy6sgiveaway.co
Fifa 2019	fifa19cheat.us  fifa19hacks.online
Nike	airjordangiveaways.com freeairjordans.com

 

Indicators of Compromise

The following indicators of compromise are associated with the infrastructure for this scam. We have not mapped every shortlink service and shortlink that were used during the campaign, but we do have the infrastructure behind them which includes the domains they use in their campaigns.

All the IOCs can be found in a public RiskIQ Community project as the list far exceeds our page limit. The project has guest access enabled; there is no need to register on our platform to obtain the information: https://community.riskiq.com/projects/ab0e70dc-c5e9-b973-2c3b-68354c32ed2c

Also, click here to find out how RiskIQ can help your organization detect social media accounts impersonating your brand, executives, and employees.