A campaign imitating several YouTube celebrities in order to trick people into divulging personal details has already claimed over 70,000 victims.
According to a new report by RiskIQ, the con has been running since 2016 and sees YouTube subscribers targeted with messages purporting to be from popular YouTube personalities asking them to click on a link to claim a prize.
Security researchers said the scams are lucrative for their operators, who monetise their campaigns by racking up referral clicks to online surveys from organisations that provide them with kickbacks.
The criminals used a combination of clever impersonation techniques which boosted the legitimacy of their messages and improved the likelihood that users would click their links.
The scam also abused two systems built into YouTube. First, the name displayed on YouTube channels and YouTube accounts can be different from the actual account name which threat actors exploited to impersonate accounts.
Second, within YouTube, users can send friend requests to anyone on the platform. Once accepted, they can send that person direct messages.
Criminals have set up new YouTube accounts making the displayed avatar and username identical to that of a famous YouTuber.
"The next step in the scam is sending messages posing as the famous YouTuber. The message in this scam mentions a contest in which James Charles is ‘randomly selecting’ a subscriber to give out a surprise gift. The message ends with a link which the threat actors hope the user clicks," said Yonathan Klijnsma, a threat researcher at RiskIQ.
He said the most remarkable aspect of this scam and the aspect that has garnered the most attention by the media is the scale with which this happening. "For criminals, the bar is incredibly low to begin this type of scam. They have their pick of the top accounts on YouTube and can impersonate these content creators en masse."
The links that the victims click come in the form of a direct link to the scam website. Once the user clicks the link, they are taken through a chain of shortlink services until they hit one of the malicious websites set up by the scammers. In many cases the website pretends to give away gifts such as iPhones.
The victims then must provide their name, address, country and email address. The scam website then tells the victim they are a winner but will need to provide more information.
"What happens next is where the criminals make their money: referral links to fake surveys. Once a visitor clicks ‘verify now’ they are taken to another website on which they have to complete a survey to verify that they are a real user," said Klijnsma.
He said that these surveys are what make money for criminals.
"Once the visitors fill out the surveys, the organisations that collect this personal information give the scammers a flat-rate kick-back. Even if the kick-backs are tiny, these scammers fool enough users to finance their campaigns and then some," he added.
Klijnsma said investigations of the website servers (which had indexes left open) found that the domains had been in operation since January 2016 with over 300 brands being impersonated by scammers.
Bryan Becker, application security researcher at WhiteHat Security, told SC Media UK that this is a classic phishing scam, but instead of impersonating a trusted website, the scammer is impersonating a trusted celebrity and their YouTube page.
"We saw this same scam often at the height of the cryptocurrency craze, with scammers impersonating prominent members in the community on Twitter and deceiving people into sending them funds," he said.
"The best way to protect yourself against this kind of scam is by being informed. Check the username, URL, and other links against known-safe links. Don’t click if you aren’t sure. Google has a great ‘phishing quiz’ that can test out how much you already know about phishing, as well as teach you common techniques using real-world examples."
Stephen Gailey, solutions architect at Exabeam, told SC that people need to exercise common sense – rarely will you ever get something for nothing, particularly if you haven’t asked for it.
"Unfortunately, there’s not much brands can do to protect themselves from being used in these scams. Big organisations may have the resources to get websites taken down, but for smaller brands it will generally be a case of weathering the storm.
"Social media companies – including YouTube – need to do more. They are being naive about these issues and feel it isn’t there fault. But they do have a responsibility they are shirking. Improvements in mutual authentication, better business processes – there is plenty they should be doing," he said.