Fake Sponsorship Emails Are Targeting YouTube Creators

The holiday season leaves everyone more susceptible to scams. YouTube creators, in particular, have become prime targets for cybercriminals.

Note: All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

A partnership with a prestigious brand like Samsung is the perfect bait, promising not just financial gain but also enhanced credibility. The excitement and rush to finalize holiday content may cause creators to overlook warning signs, such as suspicious email domains or password-protected files.

Since scammers frame these fake opportunities as coming from a top tech brand, making it hard to pass up, it’s crucial to recognize and thwart these malicious attempts.

According to Liron Segev, a Tech YouTuber and YouTube Security Specialist who recently received such an email, the scale of this type of attack is alarming.

“Creators are actively being targeted. We are seeing a massive increase in the number of YouTube creators being hacked and losing their channels to these crypto scams, and this trend is not slowing down,” Segev noted.

Segev shared a sample of the phishing email on social media platform X and provided helpful insights for creators to stay safe:

Check out the video here.

The Phishing Campaign

Bitdefender Antispam researchers were also successful in spotting the phishing campaign targeting content creators, so let’s take a closer look:

Our analysis shows that phishing scams targeting YouTube creators have evolved to appear more professional and convincing. The emails typically use subject lines such as:

· “Commerce (Samsung)”

· “Partnership (Samsung)”

· “Advertising Offer (Samsung)”

These emails direct recipients to a fake Samsung webpage that closely mirrors the legitimate site. Once there, creators are prompted to download a password-protected .rar archive (MaterialsSamsung.rar) file.

Bitdefender researcher Victor Vrabie noted that the malware in this phishing campaign was packed using Heartcrypt, a Packer-as-a-Service (PaaS) tool that lets cybercriminals obfuscate malicious payloads and evade detection. Since its launch, Heartcrypt has been used to pack thousands of malicious payloads of numerous malware families, significantly lowering the technical barrier for attackers. By injecting malicious code into legitimate binaries and employing advanced obfuscation techniques, Heartcrypt enables cybercriminals to bypass robust antivirus solutions.

Bitdefender Antispam Lab has flagged numerous samples of these phishing emails, including many originating from Russian IP addresses and written in English or a mix of English and Russian.

The core of this phishing campaign is the deployment of infostealer malware. Here’s the process:

Creators download the malicious .rar archive from the fake Samsung website.
Once extracted, the malware infiltrates the victim’s device, extracting stored credentials, authentication tokens, and other sensitive data.
Using this information, attackers bypass two-factor authentication and take over the victim’s YouTube account.
The compromised channel is then used to promote crypto scams, often streaming fake giveaways to lure unsuspecting viewers.

YouTubers Big and Small Are in the Crosshairs

“There is a big misconception that only big channels are targeted,” Segev’s explains. “That is simply not true. Smaller YouTube channels are at risk just as much as big channels are. Hackers know that creators would rather spend their time working on their latest video than learning about the latest security vulnerability.”

Segev’s observation aligns with previous Bitdefender Labs research into stream-jacking attacks on YouTube (Deep Dive into Stream-Jacking Attacks and Stream-Jacking 2.0). The studies show how hackers exploit vulnerabilities in smaller channels as well as larger ones, often leveraging account takeovers to launch crypto-doubling scams through live streams or deepfakes. These findings highlight the wide-reaching impact of such scams and the persistent threat to all creators, regardless of channel size.

Segev continues:

“The sad thing is that in most cases I’ve investigated, the hack could have easily been prevented by simply understanding how hackers gain access. In this case, recognizing that no brand would send material in a password-protected file would have stopped the attack. Too many creators rely on two-factor authentication (2FA) as a security blanket, but as we see in this case, 2FA can be bypassed with Infostealer malware. Creators need to understand the threats and take steps to protect their channels, especially if they rely on YouTube for their income.”

Top 5 Tips to Boost Your Social Media Security

How Creators Can Protect Themselves

YouTube creators must remain vigilant as hackers ramp up efforts to exploit them during the Holiday Season. Fake sponsorship emails like these not only jeopardize their accounts but also threaten their livelihoods. Here’s what you can do to stay safe

Know The Red Flags:

Be wary of unsolicited emails offering partnerships.
Avoid downloading password-protected files.
Double-check sender domains and links before engaging.

Stay Informed

Take time to learn about common phishing tactics.
Regularly update yourself on cybersecurity best practices.

Strengthen Security:

Use hardware-based security keys or app-based authentication instead of SMS-based 2FA.
Install a robust cybersecurity solution like Bitdefender Security for Creators.

Bitdefender Security for Creators is the first comprehensive solution designed specifically for YouTube creators and influencers. With 24/7 account monitoring, advanced hacking prevention, and anti-phishing protection, you can focus on creating content while we safeguard your digital assets, reputation, and income.

Don’t let cybercriminals erase years of hard work. Visit Bitdefender Security for Creators to learn more and subscribe today.

Stay Safe and Happy Holidays!