Got a direct message from a top YouTuber? Chances are, it’s phishing

February 11, 2019

Are you subscribed to a top YouTuber’s channel? If so, at any moment, a message purporting to be from your preferred celebrity can land in your inbox.

At first glance, the text looks like amazing news. Your fancied YouTube star feels extremely grateful to you for being one of their subscribers or for leaving comments on their video. And you’ve been chosen at random either to participate in a giveaway or to directly get a valuable prize — a new iPhone X or a gift card, for example.

The problem is that the message is fake. It’s part of a brand new scam targeting YouTube users that the streaming service has yet to figure out how to fight.

How does this YouTube scam work?

The scheme is relatively simple. First, the scammers set up a new YouTube account and change the avatar and displayed channel name to make them identical to those of a famous YouTuber. They exploit a standard YouTube feature that allows users to display any channel name, no matter what their account name is.

After that, the imposters send out friend requests en masse — a friend request within YouTube can be sent to anyone on the platform. The fraudsters do not even need to upload any content to the fake account to make these requests look legitimate; the requests contain very little information other than the displayed name and avatar image. Many fans accept the request without giving it a second thought.

The last step is to compose and send a relatively convincing direct message.

Numerous top YouTube creators — Marques Brownlee, Philip DeFranco, James Charles, Jeffree Star, Lewis Hilsenteger from Unbox Therapy, Bhad Bhabie, Craig Thompson, Deji (ComedyShortsGamer), Ryland Adams, and many others — have already been impersonated .

What’s the point of this scam?

The scammers want to kill two birds with one stone, using a simple phishing message to collect your personal data and earn some money as well. The YouTube direct message always includes a link to claim the prize.

The link leads to a fraudulent Web page that looks official. Once you are there, you are supposed to submit your contact details and personal information (to be scooped up by the crooks). And that’s not even the end of the story. Now you have to prove that “you are not a robot” and to complete a survey — a fake one, of course.

If you opt to take the survey, you will be redirected to a new site, which in turn brings you to a third site, and so on and so forth. This is where cybercriminals make their money, simply by driving traffic. They rack up referral clicks to the landing pages from organizations that provide them with kickbacks. The problem here is that each time you click a link, you are risking not only ending up on a site offering dubious services or merchandise, but also picking up ransomware or a banking Trojan, for example.

As security researchers found out, (though they admit that their numbers do not show the full scope of the problem), the scam appears to have ensnared tens of thousands of YouTube users, or possibly more — at least, to the point of visiting a fake website.

How to protect yourself from YouTube phishing

  • Treat friend requests or direct messages with suspicion. First, verify who the sender really is. Check whether the channel is marked as an official one, and at the very least, scan its contents with a critical eye.
  • Do not provide your sensitive information on websites you get to from links in a message received over the YouTube platform. Unfortunately, if the deal sounds too good to be true, it probably is.
  • Use a reliable antivirus solution to receive alerts when the links you click try to bring you to phishing or other malicious Web pages.