A desperate YouTube moderator scam spam

Full marks for inventiveness.

Youtube scam

If you have a YouTube channel, and have had your fill of sifting through the vile torrent of abusive comments left on your video masterpieces, you can invite other people to moderate them.

It’s a simple process that requires you just to enter the URL of another YouTube channel – and a message will automagically be sent to its owner.

So far, so harmless.

Sign up to our free newsletter.
Security news, advice, and tips.

But it turns out that it’s a feature that can be exploited by spammers and scammers. Spammers want to get their unwanted messages into your email inbox, but as anti-spam filters have improved their chances of getting your eyeballs on their messages have reduced over the years.

This inventive spammer has used the “Add comment moderator” feature of YouTube to send me a scam message, claiming that I have “win” (sic) an Apple iPhone X.

Youtube scam email

Hey Graham Cluley,

Lucky you! Have Win Apple iPhone X Get it From : – [URL] has made you a moderator on their channel. As a moderator, you can now remove unwanted comments from videos posted on that channel. Comments you remove will be sent to the creator for their review.

How did they get their spam message injected into YouTube’s standard “you’ve been added as a moderator” email? After all, the email really *does* come from YouTube (making it unlikely to be blocked by spam filters) and it *does* point to a YouTube channel.

It’s simple. The spammer called their channel the rather ungainly “Have Win Apple iPhone X Get it From”, and then included the URL they want their intended victim to click on. All in the actual name of the channel!

Meanwhile the “t.co” link will send you, via Twitter’s URL shortening service, to a third-party site that definitely isn’t friendly. It may be designed to steal your personal information, trick you into signing up for a bogus competition, lead to a webpage harbouring malware, or simply try to sell you something you’re not interested in.

Yes, it’s inventive. But it’s also really rather desperate. The fact that spammers are having to use crazy tricks like this to improve their chances of having their scammy messages seen by humans warms the cockles of my heart.

Oh, and yes, YouTube has now removed the offending channel.

If you receive similar messages, report them and the channel to YouTube so the user can be banned.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.