Security researchers have unearthed a widespread phishing scam that involves the use of fake profiles of popular YouTube personalities to lure their fans into sharing their personal information to receive free gift cards and iPhones purportedly offered by the stars themselves.
Spammers behind the phishing campaign have so far created fake profiles of popular YouTube personalities such as James Charles, Philip DeFranko, The ACE Family, Jeffreestar, Tati, ASMR Darling, and Through Ryan’s Eyes and used such profiles to send friend requests to hundreds of thousands of YouTube users, many of whom have accepted such requests believing that such requests came from genuine profiles.
Phishing scam uses fake YouTube profiles and fake sites
Once a victim accepts a friend request from a fake YouTube profile, the victim receives a direct message from the same profile which states that the victim has been randomly selected as a winner of a surprise gift card or a free iPhone X.
In order to redeem gift cards or to accept a free iPhone X, the victim is then asked to click on a link provided in the direct message. The link then redirects the victim to a fraudulent website which masquerades as Apple’s official website and asks the victim to click on a tab that reads “Get it Now”.
Once the victim clicks on this tab, the victim is then asked to provide their name, address, country, and email address and then to complete a brief “human verification process” by clicking on another link. Once clicked, the victim is redirected to a new page where they are asked to complete a survey to complete the verification process.
“iPhones and gift cards are just two themes propagated by these scam campaigns, and the criminals might change the scam to redirect users to different scam surveys sometimes depending on geolocation or the organization they partnered with. However, all the scams lead to survey sites on which a user is promised a prize if they provide their personal information.
“These surveys are what monetize the scam for the criminals. Once the visitors fill out the surveys, the organisations that collect this personal information give the scammers a flat-rate kick-back. Even if the kick-backs are tiny, these scammers fool enough users to finance their campaigns and then some,” said security researchers at Risk IQ.
Scammers impersonating popular brands as well
Figures released by Risk IQ have revealed that some of these fraudulent web links have enjoyed over 20,000 visits since December last year, suggesting that scammers have been successful in luring YouTube users into sharing their personal information.
According to the researchers, aside from creating profiles of famous personalities on social media platforms, such scammers have also impersonated a large number of well-known brands such as Apple, Instagram, Musically, Nintendo, PlayStation, Twitter, Fortnite, Nike, and Giftcards to defraud people and to obtain their personal and financial information.