The phishing scam is getting more and more elaborate: forgers constantly seek new ways to deceive their targets and collect sensitive data, and the newest trambique, which is becoming very common, is the YouTube attack, targeting channel subscribers popular features and the direct messaging feature.

How phishing scams work on YouTube

How the phishing scam by YouTube works

What is phishing?

First let’s recap: phishing scam is one where hackers use websites, e-mails, applications or fake services to mislead the user, passing through the real entities, to collect extremely sensitive personal and banking information. This includes credit card numbers and passwords, bank account numbers and passwords and other documents, and so on.

There are several modes, most commonly spear phishing: a targeted attack on people or businesses, by e-mail, apparently from a trusted source, which sends the user to a seemingly authentic but false site that requests sensitive data.

The phishing attack by YouTube is another type of spear phishing: According to Kaspersky Security, the method consists of a hacker, who created an account emulating that of a big channel (with the same name, avatar and visual identity, something that YouTube still has a hard time barring), send a direct message to a subscriber of the copied channel, which has thousands or millions of viewers enrolled.

In this message, the attacker goes through YouTuber congratulating the target for his participation in the channel. The message continues, with “YouTuber” asking the subscriber to participate in a raffle, or informing him that he will receive a gift thanks to his support, and sends links from supposedly legitimate sites for the user to access.

It is here that the coup takes shape: the pages, although they seem legitimate, are replicas designed to collect sensitive information from visitors, such as contact and personal (in some cases, also banking). He then asks the user to verify his identity through tests, which prove that “you are not a robot,” which also generate money for hackers through the method of driving traffic.

It works like this: you enter a verification site, which sends you to a second, sends you to a third party, who opens a room, and so on. And each new access yields money to hackers with advertising. And with each new page open, you get exposed to various pests, such as the most hairy malwares.

In the end, the coup kills up to three birds with one stone: the hacker can collect sensitive user data, make money with targeted access, and also opens the PC of the victim to various other attacks. All because of a freebie or lottery.

How to protect yourself from phishing scams on YouTube?

1. Check the message

It is a basic procedure, but always check the sender of the direct message. Make sure the account is actually the channel you sign, accessing the same page. In general, such channels (for phishing counterfeit) do not have any content;

2. Do not click on suspicious links

The same rule for links sent by email, social networks or SMS is valid here; avoid clicking on anything, and always check the official sources before making any decision. Official channels never inform their subscribers of promotions and sweepstakes for direct messages, even though many have millions of subscribers;

3. Use security tools

Anti-virus, firewalls and other software offer phishing blocks, and are always updated with new sites identified as malicious. Use without moderation.


Please enter your comment!
Please enter your name here