(PSA) A warning to YouTube creators, scammers have worked out an almost fool proof method of phishing your account

[ouroesa]

This does not look much more complicated than a normal phishing operation. 

 

This Jim gentleman should have picked up on it just by the wording of the first message, not to mention checking the domain - I think he feels the same was seeing he only shared a partial screenshot at first. 

 

People should really keep their wits about them and stop just trusting any e-mail with a familiar logo. 

[Quackers101]

8 minutes ago, ouroesa said:

People should really keep their wits about them and stop just trusting any e-mail with a familiar logo. 

everything going through the phone these days, hate it when you dont get a lot of options or able to check easily.

5 minutes ago, valdyrgramr said:

Well, I'm looking at the tweet right now.  There is no "@google.com" just an "@creator-partners.com".   He messed up.

someordinarygamer was likely hit by the same thing, he did explain it in the video. although it could have gone differently.

that creator-partners was in the google chat, I would think.

 

[wanderingfool2]

5 hours ago, valdyrgramr said:

Well, I'm looking at the tweet right now.  There is no "@google.com" just an "@creator-partners.com".   He messed up.

It depends, the first inbound emails uses no-reply@google.com.  From there the @creator-partners.com is only visible in chat if using chat.google.com or the mobile version.  If he happened to sign up, and go to his gmail account his initial viewing of it would just say YouTube Support (and if he is unlucky like me in browser settings, he wouldn't be able to easily get it to display @creator-partners.com).  The tweet right now is definitely after the fact screen-shots (so there is a possibility that he just switched to chat.google.com to quickly access the chats...but again if his initial conversation started in gmail and remained on the gmail site then there would have been a larger shot that he did not come across something saying creator-partners.com.

[LAwLz]

I highly recommend everybody in this thread watch this video. I have seen a lot of people make comments about how "science people" think in different ways and therfore might not pick up on scams. Or about how you would be able to figure it out. Or how "if it happened to Jim then it must be some fool proof attack" or whatever. All that is bollocks. 

 

Scams can happen to anyone because nobody is 100% mentally alert 100% of the time. Nor do we humans check everything at all times. We often makes a bunch of assumptions automatically in our everyday lives. 

 

 

 

[wanderingfool2]

40 minutes ago, valdyrgramr said:

Well, the other red flag, as I mentioned, was that he asked for proof and there wasn't any provided from what was shown.

Well what was shown was that he asked for more information, and from there the interaction is unknown (likely to become a youtube video???).  To say that it's a red flag isn't really valid unless you know what else was said.  Remember as well, if there was the potential that the other red flags weren't shown at that stage he could have legitimately thought it was a youtube support staff so from that stage red flags tend to be overlooked a lot easier.  (To anyone saying the tone of the email was a red flag, again I've literally been sent an email from AdMob that was very similar that was valid)

 

An example being the recent phone scams (targeting analog phones).  Someone calls you, says your card is compromised (red flag), but they instruct you to stay on the line get your credit card and then dial the number on the back.  They tell you to hang up and call the number, when you hang up they play a dial tone but don't hang up...due to the way things work, when you pick up the phone to dial your bank/credit card you actually still remain connected...when you dial the scammers now pretend it rings and pretend they are the "bank".  From there they have the trust built...because you called the bank, so they must be the bank.  If you believe you are talking to an agent of the bank/credit card, you are a lot more likely to hand over key information or do as instructed to "protect" yourself.

 

For those saying you would have to be foolish to delete something like your youtube channel (and it's a red flag), I would say, maybe just maybe they convinced him that there were 2 adsense accounts linked to his channel (and he was in violation).  From there he has the choice either delete one (AdSense) account to get in compliance or get banned from AdSense.  From there, he would delete one...but it actually deletes his gmail account (which actually has the effect of deleting his youtube channel since it is linked).  *This is hypothetical but I think likely plausible*

[wanderingfool2]

1 minute ago, valdyrgramr said:

It is still his fault, though.  YouTube wouldn't ask you to delete it.  They would do it themselves as many have experienced before.  Secondly, why didn't it dawn on him to just contact YouTube through the support options?  They typically don't do these types of exchanges.

I think a key can be that it's regarding AdSense.  They could have maybe talked him into a way of removing AdSense (which deletes the YouTube channel as well).

 

Like I've told other people, have you ever tried contacting support from YouTube/AdSense/Google in general?  Unless you know someone specifically, or have an YouTube rep, it's going to be difficult to do so.

 

I'm not absolving him of fault, but Google has also created an eco-system that allows this kind of spam to exist.  Like I've said in prior posts, Google should not be allowing people in their own system call themselves "YouTube Support", Google shouldn't be using a no-reply@google.com email while also passing through user generated content without making it abundantly clear that it's not Google, and Google shouldn't have options where it shows "YouTube Support" without showing the email address clearly.

 

As for "don't do these types of exchanges" yea, that is the biggest red flag...but again, I've gotten an email regarding my AdMob account that made threats of my account being terminated if fault was determined (through what I assume to be automation), or if I didn't take corrective actions...so yea specifically they don't do those types of exchanges but if he is like me and received an email like this in the past it isn't a large leap to say that maybe they changed their policy to include a way to get clarification

[wanderingfool2]

21 minutes ago, valdyrgramr said:

I get them all the time, and ignore them.  This honestly is a classic spam type.  I still put him at fault for falling for it.  This was a rather obvious one as it brought up several red flags, even for him, and he still fell for it.  That, and as I mentioned, he could have contacted YT to verify.  I don't fault Google for this because, even if you were to take action, spoofing and getting around Google's attempts will still happen.  It's no different than cheaters in a video game.  You could have great anti-cheat, but you won't stop the problem overall due to human nature.

Like it or not, Google also failed in this.  Yes, spam/scams will always get through but it's just plain stupid of Google that it doesn't block "YouTube Support" "Google Support", etc.

Again, I am not absolving him for falling for the scam, but this really should be sparking the discussion on the failing that was done.

 

So let's say the red flags

Link in email - *It is a google link to a google service*

Different domain - *Depending how it was accessed it wouldn't have shown the email address*

YouTube wouldn't write emails like that - *Except as I've said, I've received emails from Google with similar types of wording*

Google wouldn't tell you to delete the account - *Do we know that they did, or did they say corrective actions need to be taken...we don't know so we can't say it was a red flag as of yet*

 

You say contacting YouTube support, but it's well known that that is not always an easy thing to do.  Since you seem to be so knowledgeable, point me to where you would contact YouTube (yes, you could go out on Twitter and message them...but that isn't a guarantee of a response).  I'm assuming he wasn't big enough to have a YouTube rep.

[TempestCatto]

On 7/28/2021 at 6:40 AM, Master Disaster said:

....you have multiple Ad Sense accounts and that you must talk to Google support otherwise your account will be deleted....

 

If this is actually how it's worded, then this alone is a red flag to me. There's no way Google would word something as important as that, like this. Not to mention I would expect the YouTube logo instead of the Google one.

[Quackers101]

35 minutes ago, wanderingfool2 said:

Again, I am not absolving him for falling for the scam, but this really should be sparking the discussion on the failing that was done.

or rather the way forward for less "clean" information.

Hidden important information, less options than we had years before.

Security risks for "slick or modern" design.

 

As with the many talked about mobile vs desktop version of software, functions, clicking to the UI challenges.

23 minutes ago, TempestCatto said:

Not to mention I would expect the YouTube logo instead of the Google one.

as you deal with both, but I guess it would go through Youtube anyways and how it was in the name?

But since some people don't know about what they are dealing with, can make it a bit worse too.

Like what is adsense, and what part that belongs in?

in google/youtube, only the "google" side? only on the "youtube" side?

If this was twitch, that would be a lot easier to know who you are dealing with?

 

anyways, I guess he was quite in the "reactionary" stage and didn't think much at all, for one reason or another.

Just a reminder to think about scams, like how google services that recommends fake businesses, like if you try to see a business near you on their map and some with fake reviews, that can sell a service, that is not as legit. to how messy AirBnB can be, might have improved in certain regions though. With a lot of fake information out there that is going to grow in other sectors as well and how we shouldn't want services enabling this to a worse point. Or for example the way of ads and malware to the uprising of ransomware.

[Jtalk4456]

fool proof method of phishing
Nope, no such thing. Since phishing is reliant upon the victim to fall for it, there is no such thing. IDK the particular dude we're talking about, but IMHO he must not be good at this if he did what is being said here. My #1 rule to prevent phishing every time. CONTACT THE COMPANY YOURSELF! Google says you need to delete your channel? Call google and ask google if they sent it. I don't care how legit the email looks, if I'm being asked to do ANYTHING, I'm asking the company myself to confirm. Had he simply called whatever support line is readily available and said he got that email, they'd be like "nope, wasn't us, why would we need to delete your channel?"

[kirashi]

On 7/28/2021 at 3:40 AM, Master Disaster said:

 

  Hide contents

 

Wait, you mean people are blindly replying to chat messages coming from a domain name whose current DNS records resolve to an IP address owned and operated by Dreamhost? The same domain whose DNS records have no MX records, which means there's no legitimate way email could have been sent from the domain?

 

Sounds to me like this is just a standard case of a regular phishing situation, albeit with the malicious actors reaching out via Google Chat instead of email to make it appear more legitimate. Just look at that domain name registration date - seems pretty sus to think that Google only just registered the domain name 2 days ago...

 

/endrant

 

All this being said, anyone can indeed have momentary lapse in judgement on a bad or good day, so I would like to see more responsibility from Google, Microsoft, Apple, and other technology companies to ensure their products and services offer far better authenticity verification that makes scams more obvious as a glance.

 

https://lookup.icann.org/lookup

Name: CREATOR-PARTNERS.COM

Registry Domain ID: 2622572858_DOMAIN_COM-VRSN

Domain Status: active

Nameservers:

NS1.DREAMHOST.COM

NS2.DREAMHOST.COM

NS3.DREAMHOST.COM

Registry Expiration: 2022-06-27 08:42:48 UTC

Created: 2021-06-27 08:42:48 UTC

 

https://mxtoolbox.com/emailhealth/creator-partners.com/

mx	No DMARC Record found
mx	DNS Record not found
dmarc	No DMARC Record found
spf	No SPF Record found
blacklist	Blacklisted by Spamhaus DBL
http	Unable to connect to the remote server - A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 208.113.217.11:80 (http://creator-partners.com)
mx	DMARC Quarantine/Reject policy not enabled
dns	Name Servers are on the Same Subnet

 

https://ip2location.com/demo/208.113.217.11

ISP New Dream Network LLC

Domain dreamhost.com

[wanderingfool2]

4 hours ago, valdyrgramr said:

https://www.youtube.com/t/contact_us
 

It sounds more like you want to fault Google for something that isn't their fault.  Blocking them is not this absolute you're treating it as.  Spoofing, hacking, and more are different ways they could get around that.  He literally showed that he asked for proof, and then implied that he deleted the account.  Sounds more like he played into it, and that's completely his fault, not Google's.  I get you feel sorry for him, but that doesn't mean Google is at fault.

...yes because sending a contact_us page that links to help documents or submission forms that are slightly unrelated...it's near impossible to get a response from a person at Google.  You obviously have never tried contacting Google in regards to issues and stuff before.  There wouldn't be any guarantee of a response.  He likely would have been big enough to sign up for creator support but that's not like an instant thing...and I think that still isn't guaranteed for responses.

 

Again, I am not saying he isn't at fault...but in no way shape or form should Google be getting a pass for this.  Spoofing, and hacker are a lot harder to accomplish.  It would be like if I were to disable all checks on my inbound email server and then blame my users for always falling for impersonation scams.  I get that there isn't any perfect system, but the way Google implemented things is a harebrained solution.

 

They make contacting them difficult, they DO send emails that just start with "Hello, [problem issue]".  I had my AdMob restricted for like 3 months, on something they said would take 30 days (despite not doing anything wrong); with threat of account termination if they ruled against me (which it wasn't).  There is also no reason to be allowing the words "YouTube Support" as a display name, and not have the email readily shown (Again, in the email it shows no-reply@google.com and if you open the chat there, it again doesn't show the email).  Someone who isn't familiar with the chat could easily expect that it's an official YouTube Support (at which point it puts your guards down).

 

To lay blame solely on him, without expecting change against simple safeguards that Google could put in place I think is a disservice.  I am not expecting perfection, but the way things are currently run isn't right (and is just going to lead more and more less educated people to fall for scams).

 

We will know more about this tomorrow though, since he is going to post a video about it.

 

4 hours ago, Jtalk4456 said:

Had he simply called whatever support line is readily available and said he got that email, they'd be like "nope, wasn't us, why would we need to delete your channel?

Okay, so tell me, who is he suppose to call?  Tell me the number for YouTube Support....or even an email for YouTube Support.  Good luck searching

[adarw]

jim got his chanel back! https://www.youtube.com/channel/UCBNG0osIBAprVcZZ3ic84vw

[WkdPaul]

6 hours ago, adarw said:

jim got his chanel back! https://www.youtube.com/channel/UCBNG0osIBAprVcZZ3ic84vw

I'm expecting a video from all this !

[adarw]

1 hour ago, wkdpaul said:

I'm expecting a video from all this !

i think that almost %100 guaranteed. 

[wanderingfool2]

2 hours ago, valdyrgramr said:

Google, there to hold your hand because you're less educated.  Google, there to childproof your internet.  Google, using bad grammar in every email./s

Not asking for childproof.  I'm asking them to not be so idiotic about their implementation of their services.

 

It's like if Google failed to use SPF, DKIM and DMARC (of course they do used it, but if they didn't).  Yes, users could spot most scams but it brings the level of attack down to the level of virtually anyone (and the ability to make it look a lot more official).

 

Under your logic as well, I could put you at fault for getting your credit card compromised if you entered your pin on a machine that had a skimmer on it and it wouldn't be any fault of the company that had the skimmer put on their machine [because you should have noticed the warning signs of a skimmer]

[WkdPaul]

2 minutes ago, valdyrgramr said:

*snip*

You just have an agenda against them, I get it.

I think you miss the point, he's not putting the blame 100% on Google, but he's pointing out that simple stuff, like obvious UI elements that shows WHO sent the message through their service and the "no-reply" email would help eliminate SOME of the scams and phishing.

 

Being on the other side of this, I can tell you it's annoying when you see stuff that is obvious, but that doesn't mean it's obvious for EVERYONE, and any suggestion to help alleviate that should be taken into account, and in this case, having more details on the original sender WILL help.

[WkdPaul]

20 minutes ago, valdyrgramr said:

Well, this wasn't just anyone.  It was someone who should have known.  Yet, he still fell for it.  Google doesn't mess up punctuation like that, and he pretty much implied he deleted it himself after asking for proof he serms to never have gotten.  He didn't even see that the domain wasn't off.  He also failed to contact YouTube, unlike the other content creator.  They aren't targeting your normal individuals.  They're targeting content creators.

While all true, the points are still valid ; in some versions (mobile and the Hangouts chat in Gmail) you won't see that, and making sure it shows everywhere isn't a bad idea.

 

And while I agree there are red flags, we still don't know what he initially saw and if the screenshot showing the wrong domain was something he saw after, but yeah, I agree that this doesn't excuse the other red flags.

[wanderingfool2]

2 hours ago, valdyrgramr said:

I always check first.  You honestly don't even know if they used a workaround to get past protections in place.  Spoofing, hacking, and more can get around protections.  There is no proof metheod, and you are directly seeking to blame Google whe. It is in no way their fault.

Good for you that you always check first...I'm sure a guy who literally has hacked into scam operations and thwarts hackers must never have the mentality of "checking first".  You are missing all of my point.  I literally said in a lot of my posts that I'm not absolving him of fault...it's an important discussion and saying things like "I wouldn't have fallen for it" doesn't excuse the fact that Google clearly needs to rethink some of their design choices along with policies.

 

Also spoofing, hacking and other ways to get around protection isn't a valid reasoning.  People can get into your house by smashing a window, or hacking your garage door...that doesn't mean you shouldn't put locks on your door.

 

1 hour ago, valdyrgramr said:

Well, according to one of the targeted YTer's, they first email you see the "seems legit" one.  Then they have you download Google Chat, and that's where you see the super fake domain aka the dead giveaway.  I think he also mentioned they want you to follow some shady link too.  He almost fell for it, but he went onto twitter and tweeted at the official YT people, and he ended up getting a response telling him to ignore it and that they're investigating it.

The only reason he got to the point of tweeting to YouTube was because of the domain name...which again, I've shown depending how you access things the domain name could very well not have been shown [Also it took about 2 hours for YouTube to say they were looking into it].  Again it's not absolving him of fault, but it would be foolish to say Google design hasn't played a role in this (actually if one gives Google a pass, it's exactly that kind of thing that gives IT people a bad name, passing the blame to the users and not looking hard into whether things could have been prevented with simple actions).

 

There are also a bunch of cases of Google not replying, and it shouldn't take publicly tweeting a company to get responses (because that is realistically the only way to contact them)

 

So let me ask you this.  Are you okay with the fact that Google allows you to create accounts with the name "YouTube Support", "Google Support", etc.?  Do you think it's acceptable that they allowed through user generated content in a form that mimics official warning emails?  Do you think it's acceptable that a new contact should have only their name displayed in the gmail interface?  Unknown contacts should be easily identified by their email and their display name (rather than just display name).

 

I'm not really going to argue this point much more, because you obviously aren't getting that there is more to it than just saying user error.  I will leave this with a story though (of both user failure and a contractor failure).

 

-Not really on topic but a story about user responsibility and IT department's responsibilities-

A company I worked with early on hosted their own email server.  When I joined, I made sure SPF was setup (DKIM wasn't due to issues with an internal email program).  A data center move was contracted out, 3rd party already had access to the stuff and had done a lot of initial setup work before I had arrived at the company.  Unbeknownst to me, they removed the SPF entry to get the "email working" [we actually had the same IP, it was a different issue].  A few weeks later, an user was hit with a wire transfer scam sent from the president of the company (from "his" email) [who unluckily was on vacation and uncontactable via phone].  The person who received the email started the procedure for a wire transfer...it was only luck that we didn't lose the $100k.  The luck being, the guy who was processing the wire transfer didn't get things done in time...so the transfer was stuck until after the weekend...during that time the president of the company had called the CEO to just get an update on things, which is when the CEO realized what had happened (and luckily was able to contact the bank rep to cancel the wire transfer before it went through).

 

Internally we investigated what happened, the employee got in trouble for not recognizing the scam.  I did some digging into the records and figured out the 3rd party had removed the SPF records (who was subsequently terminated).  Their excuse though for deleting the SPF records was "it doesn't matter, and our users should have been trained better".

 

So the moral of the story being, yes users can be the primary blame...but whenever something like this happens, it's important to look into why it happened (and whether there are any fixes that could have prevented it).  Scams/spam will always happen, but each problem should be looked at to see if there is an easy to implement solution...in this case there are simple steps Google could have taken that would have made the security a lot tighter (without impacting the end user).

[wanderingfool2]

15 minutes ago, valdyrgramr said:

So, if Google has these protections in place, and the phisher/s got around it how are they at fault?  You never verified if Google does or doesn't.  You just blinding are blaming them while the victims are not.  Google restored their accounts.  They also are investigating it, which tells me that they got around the protections in place.  That wouldn't put Google at fault.  That's like using your logic then putting them at fault because the criminal figured out how to get around the locks.  That's on the criminal, not Google.  Again, there's no full proof method.

Google has SPF, DMARC and DKIM in place...but that doesn't matter in this case weren't spoofing emails.  They simply signed up for Google's service, named themselves YouTube Support and had it appear as a valid email because that's how Google does it.  I never said for them to create a full proof method, but the fact that a 5 year old could pull this off and the fact they hide key information that would help prevent this attack is just stupid.

 

In regards to my analogy, if the criminal bypasses the lock using a simple comb pick then yea blame can still be put on the lock maker (looking at you Master Lock...LPL's 1215 video)

 

It's like push doors that use pull handles on them (yea, the user can read push and if they walk into the door and break their nose it's their problem...but if you use pull handles it's still a stupid design and should be corrected)

[wanderingfool2]

https://www.youtube.com/watch?v=YIWV5fSaUB8

 

The video, so he did go to the chat [so the weird address should have been a red flag].  To clarify though, I still believe that Google needs to rectify the way things are handled.

 

If you watch until the end, the way he finally got his channel restored was by following youtube's instructions which was "virtually the same instructions as the scammer". 

[wanderingfool2]

1 minute ago, valdyrgramr said:

Well, they're investigating it to handle the issue

You are basing that on what?  You want to know they sent back after 2 days of investigation

 

Quote

I've just heard back from our internal team and based on the info you gave us, our specialists couldn't find evidence that your Google Account was compromised

So again, it's back to the official YouTube Support being terrible (he explained the situation and their "specialists" couldn't figure out what happened).  They also said there wasn't a way for them to recover a deleted channel...guess what they recovered his deleted channel.

 

I get that it must be very cookie cutter responses, but the fact that they eventually got him to go through very similar steps as the scammer did to recover his account I think speaks larger to how things need to change on Google's end.

 

Anyone interest here are a few timestamps of Google's responses

16:43 [Response email from Google, saying accounts can't be restored]

18:48 [Steps to recover account, similar to scammers]

19:12 [His warning about the Google domain]

[WkdPaul]

42 minutes ago, wanderingfool2 said:

https://www.youtube.com/watch?v=YIWV5fSaUB8

 

The video, so he did go to the chat [so the weird address should have been a red flag].  To clarify though, I still believe that Google needs to rectify the way things are handled.

 

If you watch until the end, the way he finally got his channel restored was by following youtube's instructions which was "virtually the same instructions as the scammer". 

So, the screenshot I posted was legitimate, that's the chat window he opened, and it clearly showed the domain.

 

No offence, but IMO that's enough and it's something he should've looked at. Though I agree that the email he got from the Google chat should have more information about the sender, but nothing more. The signs were all there, and even if the scammer directed him to genuine YT links, the fact that he got a warning about the chanel deletion if he continued should've been another red flag and he should've stopped and verified.

 

I understand and agree that we need to have protection in place for scams (and IMO, the Google chat emails should show the sender's email, as it is now, you can have any username and falsely represent any Google services).

 

But at some point, you can't babysit everyone, and this is a great exemple ; he's knowledgeable about this and his chanel is dedicated to scams, he was not paying attention and made assumptions that lead to this.

[adarw]

btw this didnt only happen to jim, to my knowlead it happend to mudhar aswell 

 

[wanderingfool2]

42 minutes ago, wkdpaul said:

But at some point, you can't babysit everyone, and this is a great exemple ; he's knowledgeable about this and his chanel is dedicated to scams, he was not paying attention and made assumptions that lead to this.

Oh, not denying that you can't babysit everyone...but at a certain point as well companies need to take initiative to not put up stupid interfaces or have user generated contact sent through legitimate Google domains.  It's a good discussion point, I just find that assigning blame on a single individual for falling for a scam just allows companies to get away with silly design choices because you get a bunch of people who lame sole blame on the victim or the scammers.  Had he been a smaller YouTuber, he likely wouldn't have gotten his account back.

 

42 minutes ago, wkdpaul said:

The signs were all there, and even if the scammer directed him to genuine YT links, the fact that he got a warning about the chanel deletion if he continued should've been another red flag and he should've stopped and verified.

That again is a bit of the issue that I have with all of this as well though.  Someone even tweeting at YT and it took about 2 hours to say they were "looking into it"...and what can be been regarding the support email he got (two days later), they aren't past sending conflicting information.  Not saying that Jim Browning wasn't at fault, just that this really does open the issue to clear interface mistakes Google is making on their end.  While he did use the chat.google.com, there are others who could have used the chat portion of gmail.com and at that stage the key red flag disappears.

 

It is impossible to stop scammers...but it definitely shouldn't be this easy for the scammers either.  *Not on topic, but it's like how on Windows 10 "delete" sends things to trash without a prompt...I had to enable the prompt again for my parents because they accidentally hit the delete key things disappear without them noticing then a few weeks later they realize it's missing.  I have a similar gripe about that...I think it creates more problems than it solves*

 

Red flags can look less like red flags when you believe you are talking to legitimate support staff.  [There was a time I had a Microsoft employee once requested to remote a work PC to do diagnostics on it, it seemed super sketch...but was legit...(can't remember why we ran diagnostics...I think it was something like Office 365 being glitched when using a login) the only reason I trusted him was because he was a contact of mine who had help with some MS stuff before...that and the computer was on an isolated network

 

40 minutes ago, valdyrgramr said:

This is the fault of himself not paying attention backed by a good scammer.

The scammer just had better English than most.  The actual scam was a pretty low level type...he didn't even bother hiding his IP address when talking with Jim Browning