(PSA) A warning to YouTube creators, scammers have worked out an almost fool proof method of phishing your account

[Hairless Monkey Boy]

1 minute ago, Kilrah said:

In this case I wouldn't be surprised if it was targeted, some of the scammers he bonked in the past teaming up and going for retaliation. He's hurting their "business" after all so there's definitely a financial incentive to go after him. 

Pretty dumb strat, though. If anything, this raises Jim Browning's profile, making it harder for scammers going forward, not easier.

[cacoe]

1 minute ago, Avocado Diaboli said:

Apparently, he falls for scams where people tell him "Dude, you need to, like, totally delete your YouTube channel, right now. Trust me, I'm from Google." This is obviously paraphrased nonsense, but essentially what he describes. He was convinced by someone to delete his channel. He didn't mention what it took to delete it, but what possible explanation would even convince you to do something like that?

 

I know what Browning does, but you clearly didn't understand what the point of my comment was, which was that appealing to authority doesn't absolve him in this case from having fallen for an obvious scam. Just because he exposes scammers doesn't somehow make this any less stupid on his part.

I agree that on the surface as an outsider looking in, it seems that this would be an obvious scam. However, as already mentioned, everyone can have a bad day, we don't know what else is happening in his life and if you've already got a lot on your mind, a moment is all that it takes.

[Master Disaster]

4 minutes ago, cacoe said:

I agree that on the surface as an outsider looking in, it seems that this would be an obvious scam. However, as already mentioned, everyone can have a bad day, we don't know what else is happening in his life and if you've already got a lot on your mind, a moment is all that it takes.

There's obviously more to the scam than

 

"err, so we are wondering if you'd delete your channel please, thanks, Google"

 

I'll try to keep the thread updated as new info comes out but they obviously have a pretty believable story.

[Quackers101]

Also to be fair in some messages FROM google/youtube, you can get sudden warnings that can be drastic although this being way more drastic?

As in big brands giving or SPAMS you with DMCA claims etc, and before you know it, it's deleted. Like said before, they would likely delete it without you doing so and wouldn't ask. Unless you delete DMCA videos or suddenly is spammed due to music copyrights to hide or delete most of your videos? (not channel)

[Master Disaster]

10 minutes ago, Avocado Diaboli said:

Apparently, he falls for scams where people tell him "Dude, you need to, like, totally delete your YouTube channel, right now. Trust me, I'm from Google." This is obviously paraphrased nonsense, but essentially what he describes. He was convinced by someone to delete his channel. He didn't mention what it took to delete it, but what possible explanation would even convince you to do something like that?

 

I know what Browning does, but you clearly didn't understand what the point of my comment was, which was that appealing to authority doesn't absolve him in this case from having fallen for an obvious scam. Just because he exposes scammers doesn't somehow make this any less stupid on his part and no doctorate is going to change that.

Interesting, could you share this insider info on the conversation that you seem to have access to while nobody else does.

 

You have no idea what was said, nobody does, so your essentially basing your argument on assumption.

[RejZoR]

57 minutes ago, Master Disaster said:

Did you not see the Tweet? YouTubes biggest scam smasher was taken by the scam, and he's a doctor of computer science.

It's not unusual that "science doctors" can't think on level of us dumb people and common sense, casual things entirely fly over their heads because they totally overthink them.

 

He checked all the indices where messages originated from, but didn't think why the hell would Youtube ask him to delete the account when they can do that themselves with a single click if they chose to do so. It's the most obvious warning flag.

[Avocado Diaboli]

2 minutes ago, Master Disaster said:

Interesting, could you share this insider info on the conversation that you seem to have access to while nobody else does.

 

You have no idea what was said, nobody does, so your essentially basing your argument on assumption.

I'm basing it on exactly the same nonexistent evidence you base your opposing conclusion that this somehow must be some kind of masterclass kind of scam for it to work on someone with the expertise of Browning and not that, as others have alluded to, this might just be a regular old brain fart moment where someone got the better of him despite warning signs. Occam's razor simply leads me to the conclusion that the latter assumptions are far likelier than the former and that your appeal to his authority does not make your conclusion any more convincing to me, which is why I pointed that part out in my comments.

 

Keep in mind, I'm not faulting him for having fallen for it, anyone can. But no evidence here leads me to believe that this was anything out of the ordinary for scam attempts. I'm willing to be convinced otherwise when and if that evidence turns up, but not simply because he's got a doctorate in computer science.

[Mark Kaine]

24 minutes ago, cacoe said:

I agree that on the surface as an outsider looking in, it seems that this would be an obvious scam. However, as already mentioned, everyone can have a bad day, we don't know what else is happening in his life and if you've already got a lot on your mind, a moment is all that it takes.

Thats true… but the thing is, you gain nothing by deleting your account, and for someone who claims to be an expert in "phishing" thats just really not a good look.

 

Basically the guy seems to be totally unaware how bad Google's security really is… which is why I personally would *never* use a provided link from "support", I would contact them, but on my own terms to see if this is a scam or not… 

 

 

26 minutes ago, HairlessMonkeyBoy said:

Pretty dumb strat, though. If anything, this raises Jim Browning's profile, making it harder for scammers going forward, not easier.

No, because this isnt a new trick or something, as long internet "security" works like it currently does nothing changes and "phishing" remains to be "easy" (""  because  this is actually pretty sophisticated, but still a tried method)

 

 

 

14 minutes ago, Master Disaster said:

You have no idea what was said, nobody does, so your essentially basing your argument on assumption.

So are you. You are assuming they had "a good story" Im saying they had not, based on the info we have this was 100% obvious bs from the get go (not saying they had no story at all, just saying it couldnt be very convincing, there is *zero* reason to delete your account, because if google wanted to delete your account they could very much do it themselves)

[WolframaticAlpha]

1 hour ago, RejZoR said:

And why would Google/Youtube ask you to delete the account yourself when they can literally do that directly since they are the people who provide this service? You have to really be monumentally stupid to do it yourself. My first question would be WHY?! and after that "If I'm in any violation, then do it yourself lol, you are the service provider and you have the control". People really are naive.

"Everyone is a genius,

 

until it happens to them."  

18 minutes ago, RejZoR said:

It's not unusual that "science doctors" can't think on level of us dumb people and common sense, casual things entirely fly over their heads because they totally overthink them.

 

He checked all the indices where messages originated from, but didn't think why the hell would Youtube ask him to delete the account when they can do that themselves with a single click if they chose to do so. It's the most obvious warning flag.

That's pretty stereotypical. Science people are often practical. Don't believe everything that tv tells you.
 

[Blademaster91]

It seems odd for someone that is very successful at scamming the scammers to fall for a scam, this really comes off as possibly being a targeted attack from scammers wanting to retaliate.

[Hairless Monkey Boy]

28 minutes ago, Mark Kaine said:

I would contact them, but on my own terms to see if this is a scam or not…

exactly.

[RejZoR]

50 minutes ago, WolframaticAlpha said:

"Everyone is a genius,

 

until it happens to them."  

That's pretty stereotypical. Science people are often practical. Don't believe everything that tv tells you.
 

No, I know that from practice. And it's across various fields. From programmers to physicists to various engineers. They are so deeply involved into nitty gritty things they do, they are just not capable of thinking like a casual user or as a regular Joe if you will and things that are perfectly logical to "dumb" users just fly over their heads. Sure there are some exceptions, but they are just too smart for their own good most of the time.

[Master Disaster]

1 hour ago, Avocado Diaboli said:

I'm basing it on exactly the same nonexistent evidence you base your opposing conclusion that this somehow must be some kind of masterclass kind of scam for it to work on someone with the expertise of Browning and not that, as others have alluded to, this might just be a regular old brain fart moment where someone got the better of him despite warning signs. Occam's razor simply leads me to the conclusion that the latter assumptions are far likelier than the former and that your appeal to his authority does not make your conclusion any more convincing to me, which is why I pointed that part out in my comments.

 

Keep in mind, I'm not faulting him for having fallen for it, anyone can. But no evidence here leads me to believe that this was anything out of the ordinary for scam attempts. I'm willing to be convinced otherwise when and if that evidence turns up, but not simply because he's got a doctorate in computer science.

So you don't think the fact the scammers have found a way to have emails delivered by an official Google domain is out of the ordinary?

 

You're perfectly entitled to your opinion however I don't think I have asserted anything other than, if Jim Browning fell for it then it is obviously sophisticated and believable. You can claim the opposite is true all you like, the simple fact is, you do not expect someone with Jim's reputation and expertise to fall for your average scam. You're effectively saying his years of experience dealing with these types of people means nothing. It wasn't a brain fart moment, the usual warning signs were not present meaning there was nothing to suggest the email was anything other than genuine.

 

TL:DR - I'm not suggesting an opposing opinion, never have. The only assertion I have made is this is obviously something new if Browning fell for it.

[Master Disaster]

1 hour ago, Mark Kaine said:

So are you. You are assuming they had "a good story" Im saying they had not, based on the info we have this was 100% obvious bs from the get go (not saying they had no story at all, just saying it couldnt be very convincing, there is *zero* reason to delete your account, because if google wanted to delete your account they could very much do it themselves)

Again, nope, I never made any counter assertion. What I actually said is we don't know what was said and forming a conclusion based on our assumptions is dumb.

[Kisai]

2 hours ago, Avocado Diaboli said:

A bunch of legitimate scientists were duped into appearing in a geocentrist documentary. Academic credentials are not a bulletproof shield to not end up doing monumentally stupid things. 

Academic credentials mean nothing outside of applying for jobs in very specialized fields. Computers are not a specialized field that requires academic credentials, and even having them isn't proof of competence. Someone with a CS degree isn't automatically a competent in math and astroengineering as an example.

 

At any rate, always consider out-of-the-blue contacts that ask you to do something that clearly they can do themselves as suspicious. One of the support things I do, is I always push back requests to change passwords to the actual billing provider, and not change passwords myself, because I don't want to be held responsible for a phishing attempt.

 

[Avocado Diaboli]

39 minutes ago, Master Disaster said:

So you don't think the fact the scammers have found a way to have emails delivered by an official Google domain is out of the ordinary?

 

You're perfectly entitled to your opinion however I don't think I have asserted anything other than, if Jim Browning fell for it then it is obviously sophisticated and believable. You can claim the opposite is true all you like, the simple fact is, you do not expect someone with Jim's reputation and expertise to fall for your average scam. You're effectively saying his years of experience dealing with these types of people means nothing. It wasn't a brain fart moment, the usual warning signs were not present meaning there was nothing to suggest the email was anything other than genuine.

No, I don't consider the fact that it's an email from a Google domain that out of the ordinary, because if you look at the mechanism they used, any message sent to someone via Google Chat will have that domain at the end. If I sign up for Google Chat and send you a message to your email, my message will also come from chat-noreply@google.com. Every message will. The same way how when I give you permission to one of my files on my Google Drive, it will also send you an email invite from an @google.com domain. And yes, I know that because I literally just now tested it by giving permission from one of my Google accounts to another one. 

 

So again, this is not some kind of brilliant hack, it's just a simple means of social engineering, making someone believe that the scammer is part of the company they're trying to pose as. But still, if you're vigilant enough to not simply rely on looking out for these obvious signifiers like domains, you should still also have the presence of mind to look at the actual contents of what you're being asked to do. If someone asks you to delete your channel, I would call that a pretty significant red flag.

[Mark Kaine]

1 hour ago, Master Disaster said:

Again, nope,

but you *are* assuming:

1 hour ago, Master Disaster said:

The only assertion I have made is this is obviously something new if Browning fell for it.

 

3 hours ago, Master Disaster said:

they obviously have a pretty believable story.

They do?

 

Theres nothing wrong with assuming things, hence my assumption is as valid:

2 hours ago, Mark Kaine said:

I personally would *never* use a provided link from "support", I would contact them, but on my own terms to see if this is a scam or not… 

 

 

2 hours ago, Mark Kaine said:

No, because this isnt a new trick or something, as long internet "security" works like it currently does nothing changes and "phishing" remains to be "easy" (""  because  this is actually pretty sophisticated, but still a tried method)

 

 I dont think this was something out of the ordinary, and the moment you have a mail asking you to *delete* something important is when you have to realize something  fishy is going on and *not* to click the link.

 

Btw we dont know if that was actually a google url, could also be fake - and even if it was, thats still how these scams often work, hence you need to confirm this before taking action.

 

Of course, as i already said this is mostly to blame on google because  they dont actually  are *secure*, they also often break their own rules, like asking to provide your password, in an "email" with a link to login, thats exactly  what scammers do too, and google has the audacity to claim this is "for security  reasons" when its inherently unsecure, and they *promised* not to do it.

 

 

TLDR: if you're a "scamming expert" especially you *do not click the link* 

 

Thats exactly what they always tell you.

 

 

 

 

Edited July 28, 2021 by Mark Kaine
added quote

[WkdPaul]

Looks like it was a brain fart on his part rather than a very elaborate scam ;

 

 

 

No offence, but the email under "youtube support" would've made me leave without replying. As a sys admin, that's stuff I always tell users to look out for.

 

Source ;

 

[wanderingfool2]

2 minutes ago, wkdpaul said:

Looks like it was a brain fart on his part rather than a very elaborate scam ;

 

 

 

No offence, but the email under "youtube support" would've made me leave without replying. As a sys admin, that's stuff I always tell users to look out for.

The issue I have with this is that Google's go to was making the chat appear as an email.  This should never happen, actually it should never happen where people are allowed creating an account like YouTube Support (while using google services).  It should be rule 101 as well, if you are sending automated emails from a primary domain where it allows external messages add in the email address it came from (and not just go by YouTube Support).  I'm not defending Jim Browning for falling for this (because it shows everyone is human when it comes to these kinds of things), but Google and the way they handle things is partially to blame as well

 

While I am not necessarily familiar with Google chat, depending on the device he was on the email could have not been on the screen (if the message was visible and taking up enough room to bump the creator-partners.com off the screen).

 

The fact he was already questioning it, is interesting...I'd really like to know how the remaining messages went because

[Spotty]

2 hours ago, Master Disaster said:

So you don't think the fact the scammers have found a way to have emails delivered by an official Google domain is out of the ordinary?

Well, no. It's really not that interesting when you actually look at what is happening. From what I glanced at it just seems to be an automated email notification from Google saying that you have received a message from someone on Google Chat and includes the message contents. When you receive an email notification for a new PM on the forum it will be sent from "Linus Tech Tips" with an @linustechtips.com email address.

 

There are ways Google can make it more obvious the message isn't from them. One such way would be including a note in the email saying "Preview of the message received on Google Chat. This message is not from Google" or some such similar message to show that it's not an official message from Google. Google could also do what we do on the forum and not show the contents of the message in the email notification, instead just show "New message received" preventing them from displaying messages threatening account deletion in the email.

[tikker]

3 hours ago, Avocado Diaboli said:

I know what Browning does, but you clearly didn't understand what the point of my comment was, which was that appealing to authority doesn't absolve him in this case from having fallen for an obvious scam. Just because he exposes scammers doesn't somehow make this any less stupid on his part and no doctorate is going to change that.

  I agree that a doctorate doesn't necessarily mean much in this context, but him falling for this doesn't make him stupid either. Being an expert on scams just makes you harder to scam, not immune. He isn't anything less because they got him. The only reason it's always so obvious to us because either you have never been properly scammed, good for you, or you are reading/analysing this as a calm unaffected 3rd party.

 

Instead of making it a how-obvious-a-scam-can-you-fall-for pissing contest people should just take this as a lesson that anyone can get scammed at any point no matter who you are. It's a bit scary how good they can get sometimes now. Recently there was an excellent one from our supposed IT department. That did take a minute to process before thinking the "obvious" wait if you're doing this, why do I need to help you do this thing you request?

 

2 hours ago, RejZoR said:

No, I know that from practice. And it's across various fields. From programmers to physicists to various engineers. They are so deeply involved into nitty gritty things they do, they are just not capable of thinking like a casual user or as a regular Joe if you will and things that are perfectly logical to "dumb" users just fly over their heads. Sure there are some exceptions, but they are just too smart for their own good most of the time.

Yep, as a scientist you are trained to think in a specific way and it's pretty common to start off thinking too difficult (myself included) to the point where even "square peg goes into the square hole" can be the least obvious thing in the world. In this context I could totally imagine looking for all kinds of fancy ways they could try to masquerade as Google, not find any and then continue without thinking the "why don't they just suspend me / do this themselves?" question.

[Quackers101]

2 minutes ago, wanderingfool2 said:

The fact he was already questioning it, is interesting...I'd really like to know how the remaining messages went because

Its something that is called for pilots and maybe other critical work, you become so focused on the usual signs that other signs can be disregarded for your own agenda of what might be the issue or how to solve it. When I said he likely focused on other signs that encouraged his initial view of "this is real", a bit like maybe someordinarygamer kind of went in for, while others that might not know these signs would not care or see what it "could" imply. Like it coming from a google domain? or so on.

 

There is all kinds of "smartness", so the discussion in this thread of "how smart you got to be" seems a bit silly to me.

*right before they do the same thing lol*

[leadeater]

2 hours ago, Kisai said:

Computers are not a specialized field that requires academic credentials, and even having them isn't proof of competence. Someone with a CS degree isn't automatically a competent in math and astroengineering as an example.

Only for more entry and intermediate jobs. If you want to specialize in say security to any meaningful degree then you're going to need a Masters and a few industry certifications to be taken seriously as an actual security expert.

 

There is a very big difference between someone that is capable of finding exploits in a program or code and someone that is actually able to go in to a business and actually give meaningful, actionable security advice or a proper security audit.

 

Specialization in IT is certainly a thing that can and does require formal academic qualifications. That said many or the majority can get by perfectly fine with just a Bachelors and just a few industry certs. What you want to do matters the most in this regard.  

 

2 hours ago, Kisai said:

At any rate, always consider out-of-the-blue contacts that ask you to do something that clearly they can do themselves as suspicious. One of the support things I do, is I always push back requests to change passwords to the actual billing provider, and not change passwords myself, because I don't want to be held responsible for a phishing attempt.

Even people in ITS fail internal phising.  Everyone is capable of having a bad day and making a mistake, and some thing are really believable. Here's a great example, I parked at work all day in the 15 minute bay because I was too lazy to park in the main large car park and walk the 10 or so minutes to the office. Later that night just after work I got an email for a parking breach with a link to the portal to pay the fine, all completely typical stuff, save for the minor detail that the address noted for the breach was an address that wasn't in my country. Checked the email headers, saw that it was passed through the phising service flow rule. Yes I got trolled by the security team, still managed to maintain my current 100% clean record, though I will say I was damn close to clicking on the link.

[FloRolf]

So what exactly is the scam? They send me an email or whatever, saying I have to delete my account because of a violation? And if I don't, they will? 

Then why should I do it? 

[Quackers101]

1 minute ago, FloRolf said:

So what exactly is the scam? They send me an email or whatever, saying I have to delete my account because of a violation? And if I don't, they will? 

Then why should I do it? 

there is also a link I think it was, that will go to that google chat for getting you into the hole and maybe doing worse things or using a shady link to attack with.