YouTube Impersonation Scams Offering Fake Rewards are Running Wild

Recently, a brand new scam hit YouTube subscribers in which they received messages purporting to be from famous YouTube personalities asking them to click on a link to claim a prize. Covered by the BBC, The Verge, and many more, the scam initially hit the news when famous YouTuber Philip DeFranco put out a new video that included a message warning his subscribers of the scam. However, RiskIQ’s data shows that this scam has been going on a lot longer, going all the way back to 2016.

These scams are lucrative for their operators, who monetize their campaigns by racking up referral clicks to online surveys from organizations that provide them with kickbacks. The following are other unique insights we gathered from RiskIQ’s web forensics data.

The Scam Rundown

So how did this scam work? These threat actors leveraged a combination of clever impersonation techniques, which boosted the legitimacy of their messages and improved the likelihood that users would click their links, and the abuse of these two systems built into YouTube:

• Display name versus account name: The name displayed on YouTube channels and YouTube accounts can be different from the actual account name, which threat actors exploit to impersonate accounts.
• Internal messaging system: Within YouTube, users can send friend requests to anyone on the platform. Once accepted, they can send that person direct messages.

Step 1: Impersonation & befriending

The first step is setting up a new YouTube account and making the displayed avatar and username identical to that of a famous YouTuber. In this example, we’ll show the impersonation of wildly popular YouTuber James Charles. On the left you can see the official account for James Charles and on the right is the fake impersonator:

Fig-1 Real and impersonating James Charles accounts side by side

Although you can see an obvious difference between the real and imposter accounts above, friend requests within YouTube contain very little information besides the name and avatar image, which as we mentioned above, can be faked.

Fig-2 Friend requests appear genuine

This type of impersonation works very well to get through the only barrier within YouTube for sending messages to other users: befriending users.

Step 2: Sending the message

The next step in the scam is sending messages posing as the famous YouTuber. The message in this scam mentions a contest in which James Charles is “randomly selecting” a subscriber to give out a surprise gift. The message ends with a link which the threat actors hope the user clicks.

Here’s the message users were supposedly receiving from the James Charles impersonators:

Fig-3 Scammer message

Notice how YouTube’s messaging system also displays the username—in this case, the impersonated name—below the message, further enhancing the credibility of the scam.

The most remarkable aspect of this scam and the aspect that has garnered the most attention by the media is the scale with which this is happening. For criminals, the bar is incredibly low to begin this type of scam. They have their pick of the top accounts on YouTube and can impersonate these content creators en masse:

Fig-4 Multiple YouTube personalities were targeted

The links that the victim click comes in the form of a direct link to the scam website, at times put behind a shortlink service like Bit.ly or Twitter short links.

Step 3: The promise of a gift

Once the user clicks the link, they are taken through a chain of shortlink services until they hit one of the malicious websites set up by the scammers. This particular scam campaign talks about giving away free iPhones, so the domains reflect that theme, e.g., iPhoneXfree.net and GetiPhoneXhere.com. Following the link, victims are presented with a page impersonating Apple:

Fig-5 Example of a fake prize

Clicking “Get it Now” takes the visitor through a “selection process” that requires the visitor to provide their name, address, country, and email address. After a fake progress bar “checks” this information, the victim is presented with a message that they were selected as a winner. They only have to verify a bit more information:

Fig-6 What ‘winners’ see next

What happens next is where the criminals make their money: referral links to fake surveys. Once a visitor clicks “verify now” they are taken to another website on which they have to complete a survey to verify that they are a real user:

Fig-7 This is where scammers make their money

Another variant of this campaign promises free gift cards instead of iPhones:

Fig-8 A scam variant

iPhones and gift cards are just two themes propagated by these scam campaigns, and the criminals might change the scam to redirect users to different scam surveys sometimes depending on geolocation or the organization they partnered with. However, all the scams lead to survey sites on which a user is promised a prize if they provide their personal information.

These surveys are what monetize the scam for the criminals. Once the visitors fill out the surveys, the organizations that collect this personal information give the scammers a flat-rate kick-back. Even if the kick-backs are tiny, these scammers fool enough users to finance their campaigns and then some.

To give an idea of the volume of visitors clicking on scam links, consider these statistics from the Bitly shortlink service. Please note that these are not all the accounts that were impersonated nor are these all the links the scammers used. Below is only a fraction of the entire campaign.

More than Direct Messages

While the direct messages promoting fake contests got the attention of news outlets, the scammers used a variety of tactics to get their links in front of victims, also promoting albums and videos from fake accounts:

Fig-9 Another impersonation tactic

Across the internet, there are many ways criminals drive clicks to their scam links, but one theme persists for this campaign: impersonating famous YouTubers.

History and Infrastructure

While this scam only recently got into the news, it has a very long history and is part of a campaign RiskIQ has been observing for years. We know this because the operators behind these scams don’t exactly have the best operational security.

A lot of times, these scammers leave their servers wide open, which helps us get more information about them. For instance, when we visited the index of the domain iPhoneXfree.net, which served the fake rewards page used on subpages in the YouTube impersonation scam, we were presented with the entire server contents. The best part? We see the exact timestamps of when they first started using the server behind this domain, which has had multiple domains pointing to it. Very clearly, we see they began using this server around September 18th, 2017.

But to give a better idea of the size of this scam operation you can look at one of the domains used in the scam pages. The domain bootstraplugin.com is associated with over 300 individual domains for this scam operation and was registered on January 17th of 2016, marking the starting point of the scam campaigns we have detailed in this blog.

The current YouTuber impersonation campaign is just one of the latest tricks they’re using to drive traffic. Over the years, they’ve employed many other tactics as well, claiming countless victims along the way.

Brand Impersonation

During their multi-year campaigns, the criminals impersonated a lot of individuals and brands. The following table is just a small subsection of all the impersonated brands we observed from these actors:

Indicators of Compromise

The following indicators of compromise are associated with the infrastructure for this scam. We have not mapped every shortlink service and shortlink that were used during the campaign, but we do have the infrastructure behind them which includes the domains they use in their campaigns.

All the IOCs can be found in a public RiskIQ Community project as the list far exceeds our page limit. The project has guest access enabled; there is no need to register on our platform to obtain the information: https://community.riskiq.com/projects/ab0e70dc-c5e9-b973-2c3b-68354c32ed2c

Also, click here to find out how RiskIQ can help your organization detect social media accounts impersonating your brand, executives, and employees.