To make their victims more compliant, online scammers often imply that something of value is under threat if immediate action isn't taken. Bank accounts are often mentioned but nothing is off limits. A scam currently doing the rounds warns of copyright strikes on genuine YouTube accounts, but after targeting a security researcher, the scam's secrets are now public.

youtube sad errorThe popularity of user-generated content sites like YouTube has led to millions of regular people becoming proud content creators in their own right.

Since YouTube content creators are also copyright holders, this can lead to a new perspective on the purpose of copyright law. To keep things running smoothly, content creators also need to respect any copyrights held by others.

Not doing so could lead to copyright complaints from third parties. If YouTube users receive three complaints, their accounts could be permanently suspended, taking all videos, views, subscribers, even creative momentum away. Fortunately, most careful YouTubers never experience copyright problems.

But out of nowhere, disaster can still strike.

youtube-bogus-dmca1
The message above was received by YouTuber John Hammond just this week. In common with similar emails received by other YouTubers recently, it mentions a genuine video he created and uploaded to YouTube. It even cites the correct YouTube URL.

But Hammond is not just a YouTuber, he’s also a cybersecurity researcher, and this didn’t feel right.

Clever Opening Shot – But Not That Clever
By including genuine information in the message and coupling that with the genuine fear of account loss, the scammers hoped that panic would lead to urgency, and that urgency would lead to less scrutiny. Hammond didn’t panic, he knew his video didn’t violate copyright.

The message was sent to Hammond via Google Drive, in PDF format. YouTube would never do that. Warnings appear in users’ YouTube accounts so viewing them there is always the best option – unless you’re a cybersecurity guy with a penchant for rabbit holes.

Hammond followed up by doing what the message asked. He clicked the ‘Open Full Report’ button for more information and found himself transported to an obviously-not-YouTube URL, with his email address tagged on the end. This is rarely a good thing.

youtube-bogus-dmca2
Hammond found that the destination site acted differently depending on the user’s browser (such as Chrome or Firefox) but eventually redirected to files stored on Dropbox.

Needless to say, YouTube doesn’t deliver files to its users like that.

Beware of Unnecessary Links, Multiple Downloads
By this point, Hammond was supposed to believe that YouTube communicates with creators via Google Drive, using a Gmail account, in questionable English. According to the text in the notification above, he was also supposed to believe that YouTube hadn’t yet decided whether he should get strike or not.

This ray of hope draws the target’s attention towards the outcome of the supposed copyright ‘moderation’ process and away from the bogus copyright notice. Given the warning’s claim that any decision will stand if the user doesn’t read the full report, one can imagine that some might be tempted.

After clicking ‘Open Full Report’ for entirely different reasons, Hammond was served with a file that had been hosted by the attackers on Dropbox. It was named “YouTube Copyright Report” and came with a ZIP extension, meaning that extraction would take place on the user’s machine.

In general, users should be extremely cautious of files that appear on their machines as part of a process they didn’t initiate themselves, especially when the event comes out of the blue. Never trust a stranger bearing ZIPs, it rarely ends well.

youtube-bogus-dmca3
Using Process Monitor on Windows 11 (inside a VM), Hammond found that the file tried to discover device information, checked if any anti-virus was running, and then repeatedly tried to contact what appeared to be an IP address in Finland.

Conclusion: RedLine Stealer Malware
We looked a little closer at the Finland-linked IP address and found a lot of interest in Russia, a characteristic it shares with the domain previously highlighted by John Hammond in the URL containing his email address. In respect of the latter, many other similar domains are linked and could be just as malicious, but something else caught our eye too.

After tests on the domains and IP addresses, we discovered similar URLs containing other people’s email addresses and usernames. We were able to directly link one of the email addresses to an active YouTuber who may have been targeted with a similar bogus copyright complaint.

We haven’t received a response to the warning email we sent him earlier but the situation is potentially very serious. Hopefully he bailed on the process early enough.

youtube-bogus-dmca4
While technically experienced YouTubers may not fall for this kind of scam, it’s not difficult to see how someone who really values their YouTube channel might act emotionally in the heat of the moment.

That being said, the scam cannot survive when a user has a clear understanding of YouTube’s ‘strike’ system and the methods used by the platform to communicate problems. Becoming familiar with these processes isn’t difficult but if there’s any doubt, log into YouTube, read any messages and before clicking anything, ask someone.

Nothing is so urgent it can’t wait, despite what the scammers say.