Scammers took over three popular YouTube channels and used them to impersonate the official SpaceX channel to generate cryptocurrency, according to Lisa Vaas at Naked Security. The channels played fake livestreams of Elon Musk being interviewed and promoted bogus cryptocurrency giveaways. One of the hijacked accounts had 230,000 subscribers, while another had 131,000. The scammers made nearly $150,000 worth of Bitcoin before YouTube shut them down.
These scams work by tricking people into making a small payment under the expectation that they’ll get double their investment back. They’re typical instances of 419 fraud, the advance-fee scam most famous as the “Nigerian prince” come-on, and named after section 419 of the Nigerian criminal code, where the scam is forbidden. You’d think this would now be thoroughly exposed, but unfortunately this approach still finds victims.
Most people would indeed see through this scheme if it were presented to them by a random person on the internet, so the scammers need to make it appear as though the cryptocurrency is being given away by a rich, tech-savvy, high-profile figure. This is why Elon Musk is a common theme in these scams. Vaas also explains that hacking into already-popular, legitimate accounts gives the scammers an outsized level of influence as well as a veneer of legitimacy.
“If you’re a scammer looking to fleece a crowd of loyal followers to pitch one of these scams to – as in, somebody else’s loyal followers – the easiest thing to do is take over an existing account,” Vaas writes. “We don’t know how the SpaceX scammers got hold of the YouTube channels they hijacked, but one (unfortunately likely!) possibility is that the channel owners reused their credentials somewhere else. If there was a breach at one of the other places where the rightful account holders used the same username/password, then automated tools could have made it a snap for crooks to take the breached credentials and plug them in to see what other accounts they’d unlock.”
New-school security awareness training can give your employees a healthy sense of skepticism to help them avoid falling for these kinds of scams.
Naked Security has the story: https://nakedsecurity.sophos.com/2020/06/11/bitcoin-scammers-take-youtube-channels-for-a-spacex-ride/