According to a new report from RiskIQ, more than 70,000 people have been tricked into disclosing their personal details after scammers posed as celebrities on YouTube.
RiskIQ said the scam had been running since 2016 and involves YouTube subscribers being targeted with messages supposedly coming from popular YouTube celebrities asking them to click on a link to claim a prize.
The hackers gain money by racking up referral clicks to online surveys from organisations that provide them with lucrative kick-backs.
RiskIQ said the cybercriminals use a combination of impersonation techniques such as setting up new YouTube accounts that display an avatar and username identical to that of a famous YouTube personality. This gives the messages a legitimacy and improves the likelihood that users would click on the links.
The next step in the scam is sending messages posing as the famous YouTuber. The message in this scam mentions a contest in which James Charles is ‘randomly selecting’ a subscriber to give out a surprise gift.
The message ends with a link which the threat actors hope the user clicks.
For criminals, the bar is incredibly low to begin this type of scam. They have the pick of the top accounts on YouTube and can impersonate these content creators en masse.- Yonathan Klijnsma: Threat Researcher, RiskIQ
According to RiskIQ, the links that victims click on come in the form of a direct link to a scam website. The victim must then provide a name, address, country and email address. The fake website will then tell them they are a winner, but they will need to provide further information.
What happens next is where the criminals make their money – referral links to fake surveys. Once a visitor clicks ‘verify now’ they are taken to another website on which they have to complete a survey to verify that they are a real user.
Once the visitors fill out the surveys, the organisations that collect this personal information give the scammers a flat-rate kick-back. Even if the kick-backs are tiny, these scammers fool enough users to finance their campaigns and then some.- Yonathan Klijnsma: Threat Researcher, RiskIQ
While these scams are not particularly sophisticated, they are highly effective. This was seen at the height of the cryptocurrency craze, when scammers impersonated prominent members in the community on Twitter.
The advice and best way to protect yourself is using your common sense. Always check the username, URL and other links against known safe links.
Never click on anything if you are not sure. Google currently has a great phishing quiz that can test how much you really know about phishing, as well as show you common techniques to combat it using real-life examples.
Remember, in today’s world you very rarely get anything for free, particularly if you haven’t asked for it.
Despite these essential means to protect yourself, many argue that YouTube needs to do much more.