This Is How YouTube Influencer Scam Artists Operate
A scam striking the followers of YouTube influencers which offers lucky fans free gifts from their favorite stars has been in operation far longer than first thought.
Reports surfaced last week of the fraudulent scheme, in which YouTube influencers including Philip DeFranco, Jeffree Star, and Bhad Bhabie are being impersonated by scam artists seeking to cash in on their fame.
DeFranco mentioned the scam in a YouTube video, warnings subscribers that “if you have gotten a message from me or any other creator that looks something like this […] that is not from me, that is not from any of these other creators, that is very likely someone trying to scam you.”
The messages in question, as shown below, feature both the targeted YouTuber’s icon and name, and congratulates the recipient as a “randomly picked” user to win a “surprise gift.” The user is then asked to click a link which directs them to a fraudulent domain.
RiskIQ
While the campaign appeared to be fairly new — although low-bar — researchers from RiskIQ believe that the scam could have been in operation since 2016.
On Wednesday, RiskIQ researcher Yonathan Klijnsma published a blog post examining the scam in detail.
The first question one could ask is how do the impersonators get away with using a high-profile influencer’s name? The answer lies in how YouTube manages accounts, as the name displayed on channels can be different from the actual account name.
Once an account is set up with a fake name and an identical avatar to the high-profile YouTuber, the individuals behind the scam can then send friend requests en masse to fans. Once accepted, they are able to send direct messages.
As shown in the image below, the fraudster does not have to create any content to appear legitimate, as friend requests do not contain channel snapshots or any information beyond the spoofed YouTuber’s name.
RiskIQ
RiskIQ
“This type of impersonation works very well to get through the only barrier within YouTube for sending messages to other users: befriending users,” Klijnsma says.
CNET: Google takes aim at imposter websites with new Chrome warning
To further the apparent legitimacy of the message, the platform also displays the impersonated name under the message.
The fraudsters then lay the bait in the form of a promise of a free gift and provide an external link often in a shortened or Bit.ly format.
If a victim clicks the link, they are transported to a malicious website controlled by the scam artist. In one example, a website impersonating Apple, iPhoneXfree.net, promises a free iPhone X to the user — but they must first go through a “selection process.”
The victim’s name, email address, physical address, and country must be submitted before the visitor can claim their ‘gift.’ A fake progress bar pretends to check this information’s validity before proclaiming the victim a winner.
However, there is a catch: just a little more information is needed.
This is how the scam artists are profiting from their YouTube scam. The victim is requested to click a “verify” button which takes them to complete surveys.
See also: The DDoS that wasn’t: a key takeaway for web domain security
“These scams are lucrative for their operators, who monetize their campaigns by racking up referral clicks to online surveys from organizations that provide them with kickbacks,” Klijnsma noted. “For criminals, the bar is incredibly low to begin this type of scam; they have their pick of the top accounts on YouTube and can impersonate these content creators en masse.”
Other scams uncovered by the researcher offer free gift cards, and some may redirect users to different fraudulent websites depending on their location. RiskIQ says that in all cases, however, survey submission is the goal.
Unfortunately, many YouTube influencer fans appear to have fallen for the scheme — at least until the point of visiting a fake website. Klijnsma tracked a selection of Bit.ly links sent fraudulently to fans and how often they were visited, and even though the information below is only from a small fraction of the campaign and only relates to a handful of those impersonated, the links were clicked thousands of times.
Alongside direct messages, the scammers have also used fake accounts to promote albums and videos in order to entice would-be victims to click these malicious links.
TechRepublic: 57% of IT workers who get phished don’t change their password behaviors
RiskIQ says that far from being a new scam, the fraudsters have actually been operating a wider campaign for a number of years. A lack of security has allowed the researchers to often plunder the threat groups’ servers to find information on their activities.
Other brands which have been impersonated include Instagram, Nintendo, Snapchat, Twitter, Fortnite, Kylie Jenner, and Nike, among many others.
“For instance, when we visited the index of the domain iPhoneXfree.net, which served the fake rewards page used on subpages in the YouTube impersonation scam, we were presented with the entire server contents,” Klijnsma explained. “The best part? We see the exact timestamps of when they first started using the server behind this domain, which has had multiple domains pointing to it. Very clearly, we see they began using this server around 18 September 2017.’
Another domain connected to the scam, bootstraplugin.com, is associated with a further 300 malicious domains. This domain was registered on 17 January 2016, which the researchers have marked as the earliest indicator currently available of the wider scam campaign being initiated.
“The current YouTuber impersonation campaign is just one of the latest tricks they’re using to drive traffic. Over the years, they’ve employed many other tactics as well, claiming countless victims along the way,” Klijnsma says.
When originally alerted to the scam, YouTube said :
“We’re in the process of implementing additional measures to prevent impersonation like this. In the meantime, your subs can protect themselves by blocking any account that is spamming them.”
Previous and related coverage
READ MORE HERE