Blog

Recently, a brand new scam hit YouTube subscribers in which they received messages purporting to be from famous YouTube personalities asking them to click on a link to claim a prize. Covered by the BBC, The Verge, and many more, the scam initially hit the news when famous YouTuber Philip DeFranco put out a new video that included a message warning his subscribers of the scam. However, RiskIQ’s data shows that this scam has been going on a lot longer, going all the way back to 2016.

These scams are lucrative for their operators, who monetize their campaigns by racking up referral clicks to online surveys from organizations that provide them with kickbacks. The following are other unique insights we gathered from RiskIQ’s web forensics data.

The Scam Rundown

So how did this scam work? These threat actors leveraged a combination of clever impersonation techniques, which boosted the legitimacy of their messages and improved the likelihood that users would click their links, and the abuse of these two systems built into YouTube:

  • Display name versus account name: The name displayed on YouTube channels and YouTube accounts can be different from the actual account name, which threat actors exploit to impersonate accounts.
  • Internal messaging system: Within YouTube, users can send friend requests to anyone on the platform. Once accepted, they can send that person direct messages.

Step 1: Impersonation & befriending

The first step is setting up a new YouTube account and making the displayed avatar and username identical to that of a famous YouTuber. In this example, we’ll show the impersonation of wildly popular YouTuber James Charles. On the left you can see the official account for James Charles and on the right is the fake impersonator:

A new crop of YouTube impersonation scams are in full swing, in which scammers posing as popular YouTubers ask users to click on a link to claim a prize.

Fig-1 Real and impersonating James Charles accounts side by side

Although you can see an obvious difference between the real and imposter accounts above, friend requests within YouTube contain very little information besides the name and avatar image, which as we mentioned above, can be faked.

A new crop of YouTube impersonation scams are in full swing, in which scammers posing as popular YouTubers ask users to click on a link to claim a prize.

Fig-2 Friend requests appear genuine

This type of impersonation works very well to get through the only barrier within YouTube for sending messages to other users: befriending users.

Step 2: Sending the message

The next step in the scam is sending messages posing as the famous YouTuber. The message in this scam mentions a contest in which James Charles is “randomly selecting” a subscriber to give out a surprise gift. The message ends with a link which the threat actors hope the user clicks.

Here’s the message users were supposedly receiving from the James Charles impersonators:

A new crop of YouTube impersonation scams are in full swing, in which scammers posing as popular YouTubers ask users to click on a link to claim a prize.

Fig-3 Scammer message

Notice how YouTube’s messaging system also displays the username—in this case, the impersonated name—below the message, further enhancing the credibility of the scam.

The most remarkable aspect of this scam and the aspect that has garnered the most attention by the media is the scale with which this is happening. For criminals, the bar is incredibly low to begin this type of scam. They have their pick of the top accounts on YouTube and can impersonate these content creators en masse:

A new crop of YouTube impersonation scams are in full swing, in which scammers posing as popular YouTubers ask users to click on a link to claim a prize.

Fig-4 Multiple YouTube personalities were targeted

The links that the victim click comes in the form of a direct link to the scam website, at times put behind a shortlink service like Bit.ly or Twitter short links.

Step 3: The promise of a gift

Once the user clicks the link, they are taken through a chain of shortlink services until they hit one of the malicious websites set up by the scammers. This particular scam campaign talks about giving away free iPhones, so the domains reflect that theme, e.g., iPhoneXfree.net and GetiPhoneXhere.com. Following the link, victims are presented with a page impersonating Apple:

A new crop of YouTube impersonation scams are in full swing, in which scammers posing as popular YouTubers ask users to click on a link to claim a prize.

Fig-5 Example of a fake prize

Clicking “Get it Now” takes the visitor through a “selection process” that requires the visitor to provide their name, address, country, and email address. After a fake progress bar “checks” this information, the victim is presented with a message that they were selected as a winner. They only have to verify a bit more information:

Fig-6 What ‘winners’ see next

What happens next is where the criminals make their money: referral links to fake surveys. Once a visitor clicks “verify now” they are taken to another website on which they have to complete a survey to verify that they are a real user:

A new crop of YouTube impersonation scams are in full swing, in which scammers posing as popular YouTubers ask users to click on a link to claim a prize.

Fig-7 This is where scammers make their money

Another variant of this campaign promises free gift cards instead of iPhones:

A new crop of YouTube impersonation scams are in full swing, in which scammers posing as popular YouTubers ask users to click on a link to claim a prize.

Fig-8 A scam variant

iPhones and gift cards are just two themes propagated by these scam campaigns, and the criminals might change the scam to redirect users to different scam surveys sometimes depending on geolocation or the organization they partnered with. However, all the scams lead to survey sites on which a user is promised a prize if they provide their personal information.

These surveys are what monetize the scam for the criminals. Once the visitors fill out the surveys, the organizations that collect this personal information give the scammers a flat-rate kick-back. Even if the kick-backs are tiny, these scammers fool enough users to finance their campaigns and then some.

To give an idea of the volume of visitors clicking on scam links, consider these statistics from the Bitly shortlink service. Please note that these are not all the accounts that were impersonated nor are these all the links the scammers used. Below is only a fraction of the entire campaign.

YouTuber Bitly link Active since Visits
The ACE Family bit[.]ly/2FyE8Zd January 13th, 2019 10.6K
Jeffreestar bit[.]ly/2suz28x January 17th, 2019 4.5K
ASMR Darling bit[.]ly/2sEq9t3 January 20th, 2019 5.2K
Tati bit[.]ly/2RBRYkj January 18th, 2019 4.2K
MindofRez bit[.]ly/2ST1hss December 18th, 2018 900
Through Ryan’s Eyes bit[.]ly/2EIFsOb December 14th, 2018 25.7K
Philip DeFranco bit[.]ly/2FuSXff January 14th, 2019 20.7K

 

More than Direct Messages

While the direct messages promoting fake contests got the attention of news outlets, the scammers used a variety of tactics to get their links in front of victims, also promoting albums and videos from fake accounts:

A new crop of YouTube impersonation scams are in full swing, in which scammers posing as popular YouTubers ask users to click on a link to claim a prize.

Fig-9 Another impersonation tactic

Across the internet, there are many ways criminals drive clicks to their scam links, but one theme persists for this campaign: impersonating famous YouTubers.

History and Infrastructure

While this scam only recently got into the news, it has a very long history and is part of a campaign RiskIQ has been observing for years. We know this because the operators behind these scams don’t exactly have the best operational security.

A lot of times, these scammers leave their servers wide open, which helps us get more information about them. For instance, when we visited the index of the domain iPhoneXfree.net, which served the fake rewards page used on subpages in the YouTube impersonation scam, we were presented with the entire server contents. The best part? We see the exact timestamps of when they first started using the server behind this domain, which has had multiple domains pointing to it. Very clearly, we see they began using this server around September 18th, 2017.

But to give a better idea of the size of this scam operation you can look at one of the domains used in the scam pages. The domain bootstraplugin.com is associated with over 300 individual domains for this scam operation and was registered on January 17th of 2016, marking the starting point of the scam campaigns we have detailed in this blog.

The current YouTuber impersonation campaign is just one of the latest tricks they’re using to drive traffic. Over the years, they’ve employed many other tactics as well, claiming countless victims along the way.

Brand Impersonation

During their multi-year campaigns, the criminals impersonated a lot of individuals and brands. The following table is just a small subsection of all the impersonated brands we observed from these threat actors:

Brand Example domains
Apple iPhone Claimiphonex.win  freeiphone247.com
Giftcards (Xbox, Steam, iTunes, etc.) giftcard-giveaway.club  giftcardgenerator.xyz
Grand Theft Auto 5 gta5livecash.com  gtamoneyhacker.com
Instagram igfollowers.org instagramfreefollowers.com
Madden 2018 madden18tips.tk maddencoinsfree.com
Musically musically-followers.co  musicallypromo.com
Nintendo nintendooffer.com  nintendoserver.club
Playstation psnetworkcodesgenerator.xyz psnfreecodes.info
Snapchat snapchack.com snapfollows.site snappeek.pro
Twitter twittapps.com twitterhack.top
Fortnite V-Bucks vbucksgen.club v-bucksfree.us
WhatsApp whatsapp-spy.com whatzspyapp.com
Sarah Reveals sarahah-reveals.com sarahahreveals.website
Clash Royale royalegenerator.net royalegems.top
Kylie Jenner newkyliegift.club kyliecosmetics.host
Samsung Galaxy galaxys8giveaway.com galaxy6sgiveaway.co
Fifa 2019 fifa19cheat.us  fifa19hacks.online
Nike airjordangiveaways.com freeairjordans.com

 

Indicators of Compromise

The following indicators of compromise are associated with the infrastructure for this scam. We have not mapped every shortlink service and shortlink that were used during the campaign, but we do have the infrastructure behind them which includes the domains they use in their campaigns.

All the IOCs can be found in a public RiskIQ Community project as the list far exceeds our page limit. The project has guest access enabled; there is no need to register on our platform to obtain the information: https://community.riskiq.com/projects/ab0e70dc-c5e9-b973-2c3b-68354c32ed2c

Also, click here to find out how RiskIQ can help your organization detect social media accounts impersonating your brand, executives, and employees.

Share:

Connect with us
Featured Post

Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims