Joerg Habermeier - stock.adobe.c
YouTuber impersonation scam not new, say researchers
Scam that tricked users into clicking on phishing links has affected tens of thousands of victims and has been active for several years, say security researchers
Popular YouTuber Philip DeFranco recently warned subscribers of a scam in which he and others were being impersonated to trick people into clicking malicious links – but the scam goes back to 2016, according to researchers at RiskIQ.
DeFranco told subscribers not to click on links contained in messages purporting to come from him or other YouTubers and promising them a gift, according to BBC news. The data uncovered by RiskIQ researchers shows that just over 20,000 DeFranco subscribers were directed to scam sites in a campaign that started on 14 January 2019.
The RiskIQ researchers, who discovered that Magecart was the hacking group behind the British Airways and Ticketmaster breaches in 2018, have subsequently examined web Forensics data to find out more about the YouTuber impersonation scam.
Their findings confirm that tens of thousands of YouTube fans were referred to scam sites from seven prominent YouTube channels with millions of subscribers in a multi-year campaign exploiting high-profile brands such as Apple iPhone, Instagram, Twitter and WhatsApp.
“These scams are lucrative for their operators, who monetise their campaigns by racking up referral clicks to online surveys from organisations that provide them with kickbacks,” RiskIQ threat researcher Yonathan Klijnsma wrote in a blog post.
The researchers found that the threat actors behind the scam used a combination of impersonation techniques to make their messages look legitimate and improve the likelihood that users would click their links.
In particular, the scammers abused two systems built into YouTube. The first is the fact that the name displayed on YouTube channels and YouTube accounts can be different from the actual account name. The scammers exploited this to impersonate accounts.
They also exploited the internal messaging system within YouTube by setting up a fake account using an avatar and username the same as a famous YouTuber and then sending friend requests to potential victims. Once accepted, the scammers could then send victims direct messages containing malicious links.
The links were typically disguised by putting them behind a shortlink service such as Bit.ly or Twitter short links, the researchers found. Once the victim clicked the link, they were taken through a chain of shortlink services until they hit one of the malicious websites set up by the scammers.
Read more about Magecart
- Ticketmaster breach: How did this card skimming attack work?
- British Airways data breach may be the work of Magecart.
- British Airways data breach: Security researchers name suspects and query attack timeline.
One particular scam campaign promised free iPhones and this was reflected in the fake domains used – iPhoneXfree.net and GetiPhoneXhere.com. Following the link presented victims with a page impersonating Apple that took the victim through a “selection process” that required them to provide their name, address, country and email address. The final step was to complete a “human verification” process.
“What happens next is where the criminals make their money – referral links to fake surveys,” said Klijnsma. “Once a visitor clicks ‘verify now’, they are taken to another website on which they have to complete a survey to verify that they are a real user.
“These surveys are what monetise the scam for the criminals. Once the visitors fill out the surveys, the organisations that collect this personal information give the scammers a flat-rate kickback. Even if the kickbacks are tiny, these scammers fool enough users to finance their campaigns and then some.”
As well as the direct messages promoting fake contests, the scammers used a variety of tactics to get their links in front of victims, the researchers found, including promoting albums and videos from fake accounts.
While this scam got into the news only recently, Klijnsma said it has a very long history and is part of a campaign RiskIQ has been observing for years. The domain bootstraplugin.com is associated with more than 300 individual domains for this scam operation and was registered on 17 January 2016, he said, which is believed to mark the starting point of the YouTuber impersonation scam campaign.
“The current YouTuber impersonation campaign is just one of the latest tricks they’re using to drive traffic,” he said. “Over the years, they’ve employed many other tactics as well, claiming countless victims along the way.”
The researchers have mapped the infrastructure behind the scam, including the domains used, and have published indicators of compromise in a public RiskIQ Community project that has guest access enabled.