YouTube, the world’s top provider of streaming multimedia content, keeps reaching new heights in terms of its popularity. Nearly two billion monthly users and five billion videos watched every single day – these impressive statistics speak for themselves, and the numbers are steadily growing year over year. Everybody loves YouTube and so do cybercriminals, only in their very own nefarious way.
Malicious actors are lured by the soaring audiences of this service, hence the potentially huge attack surface and a goldmine of opportunities.
However, compromising the IT architecture of such an advanced technology giant is a hardly feasible objective, even for high-profile crooks with tons of offensive resources at their disposal. The exploitation vectors, therefore, mostly boil down to social engineering scams, but the tactics are more sophisticated than posting fraudulent hyperlinks in comments under viral videos.
The two most common types of attacks include hoaxes targeting YouTube channel owners and ones that zero in on ordinary visitors who routinely visit the service to watch videos of interest.
Let’s see what scams are currently dominating this particular cybercrime ecosystem.
Malefactors wheedling out YouTubers’ passwords
Fraudsters may impersonate YouTube support to dupe active users into disclosing their credentials.
One of the latest attempts that gained a great deal of publicity was reported in early May 2019. The owner of a fairly popular YouTube channel called TeslaJoy received a phishing email from a sender claiming to be the “YouTube Team.” This message was camouflaged as an alert regarding multiple violations allegedly detected during the site’s account review process.
The con artist further emphasized that they needed a more in-depth analysis to sort out the issue. In order to expedite the process, the targeted YouTuber was instructed to provide additional details, including the channel password. Obviously, a genuine support team would never request credentials to deal with any sort of issue. This wasn’t the biggest giveaway, though.
The scam could have probably worked out if it weren’t for a few more conspicuous mistakes the attacker made. One of them was the wrong street name (“Cher Ave.” instead of “Cherry Ave.”) in the address of the company’s main office. The ZIP code was wrong, too.
On top of that, the notification was sent to the channel owner’s public-facing email address rather than the one used for interaction with YouTube. All of these clues allowed the would-be victim to identify the fraud, report it to YouTube and spread the word about it so that other users wouldn’t get on the hook.
Extortion via fake policy violation reports
Another technique that zeroes in on content creators abuses YouTube’s policy infringement system.
According to these guidelines, any user can submit violation reports if they notice that a particular channel disobeys copyright or uploads violent, hateful or sexual materials to the platform. In case a YouTuber gets three such “strikes” within hree months, their account is subject to deactivation.
Crooks take advantage of these practices by repeatedly flagging a user’s content inappropriate until the target receives two infringement notices and is one strike away from account termination. This is what a scammer nicknamed “VengefulFlame” did to a couple of YouTube channels. When a critical number of strikes was reached, the threat actor contacted the users and demanded a ransom to prevent them from filing the third and final report. The size of the ransom ranged from $75 to $200 worth of Bitcoin or $150 to $300 in PayPal, depending on the number of channel subscribers.
When two targets of the extortion, nicknamed Logan and Kenzo, let the community know about the wicked stratagem they were facing, the incidents gained some traction and were brought to YouTube’s attention.
At the end of the day, the pseudo strikes were resolved for both accounts. Nevertheless, there’s still a bitter aftertaste of bad actors so easily exploiting the network’s policies for their malicious ends.
YouTube watchers hoodwinked into completing fake surveys
If you are a regular YouTube visitor and don’t run a channel, you aren’t safe, either.
In an ongoing scam campaign, fraudsters entice users to provide their personal details and fill out short surveys in exchange for a gift. In order to make the hoax appear credible, they manipulate the platform’s peculiar way of displaying account names.
The network allows anyone who creates a new account to set the username and avatar identical to those of another channel owner. This way, the scammers are able to impersonate celebrities when submitting friend requests to anyone on YouTube, even to people who simply left a comment or subscribed to a channel. If such a request is accepted, the swindlers can send direct messages to the unsuspecting victim via the internal messaging system – allegedly on behalf of the influencer.
When reaching out to potential victims, the ne’er-do-wells say they’ve been randomly selected from the subscriber list and are entitled to a “surprise gift.” To claim the prize (an iPhone X in most cases), the users are instructed to provide their personally identifiable information such as the name and address. The process additionally involves a series of checks, including human verification, which is actually an online survey in disguise.
The crooks behind this fraud make money by luring the victims into completing surveys. Plus, they can sell the harvested personal data to advertisers and other interested parties. In the long run, the victims end up clicking on multiple links, disclosing sensitive details and filling out junk questionnaires only to realize that they’ve wasted their time and won’t get any gift at all.
To its credit, YouTube is still a hard nut for cybercrooks to crack.
Whereas getting around the platform’s strong defensive mechanisms is easier said than done, the black hats are taking shortcuts and pulling off scams that mostly manipulate humans rather than the system.
Unfortunately, these frauds are on the rise, and the attack vectors continue to evolve. In the meanwhile, YouTubers and regular users should be on the lookout for the above schemes and report suspicious activity to the company without delay.
About the Author: David Balaban is a security expert and privacy-minded researcher writing for cooltechzone.com. With over a decade of experience in malware analysis and security software testing, David strongly believes that the right creed is to treat cybersecurity as a continuous process rather than a resulting product.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.