A YouTube scam that tricks users into clicking on malicious links by impersonating famous YouTube stars has duped more than 70,000 people.
Many subscribers to popular YouTubers including Philip DeFranco, Jeffree Star and Makeup vlogger James Charles, have reported receiving messages that offer them a free prize if they click on a link.
The fraudsters behind the scam have tried to make the messages seem as authentic as possible by replicating the same name, profile picture, and imagery used in the official accounts. The only difference is the fake account has no content listed within it.
Image: Genuine James Charles account alongside fake (Source: RiskIQ)
The text in all the messages remains the same but suggests that a subscriber was selected at random to receive the free gift. One message that appears to come from James Charles says: “Hello! Thanks for commenting on my videos! I am selecting random user from my subscriber list for surprise gift and you have just won it! So here is a link to redeem it.”
As soon as the victim clicks on a link, they are directed through to a malicious website that impersonates Apple. In order to claim their free iPhone, they must first go through a selection process and submit their name, email address, country and physical address.
A fake progress bar pretends to check the validity of the information before declaring the victim a winner. However, the scam doesn’t end there. The victim is then requested to click a "verify" button which takes them to another website to complete surveys and verify they are the real user.
It’s at this stage of the scam that the fraudsters can make their real money. Every time someone fills in a survey, the scammers get paid. Cash from one user mightn’t amount to much but if they can successfully dupe thousands of people into falling for the scam then the pay-out can mount up quite quickly.
Image: Fake verification process (Source: RiskIQ)
According to security researchers at RiskIQ, the scam has been in circulation since 2016 and the crooks behind the campaign have used a combination of impersonation techniques to make their messages appear legitimate and increase the chance of people clicking on links.
The fraudsters have also been able to take advantage of two systems built into YouTube. The first is the name displayed on YouTube channels and YouTube accounts can be different from the actual account name. This provides an opportunity to impersonate accounts.
Secondly, they were able to exploit the internal messaging system within YouTube by setting up a fake account and then sending out friend requests to potential victims. Once accepted, the fraudsters were able to send out direct messages with malicious links.
To avoid being scammed on YouTube, there are a number of steps you should follow: