{“lastseen”:”2026-04-15T14:10:17″,”description”:”A convincing phishing campaign is going after YouTube creators, and if it works, attackers don’t just steal your Google login. They can take over your entire Google account, including Gmail, your files, and payments, then hijack your YouTube channel and use your audience to run scams.\\n\\nThe lure is a fake copyright strike notification that’s so convincing even security-aware users could fall for it. The attack site pulls in your real channel data, such as your profile picture, subscriber count, and latest video, to build a personalized scare page. It funnels you toward a sign-in page designed to steal your Google account. \\n\\nThe operation runs like a franchise: multiple attackers share the same platform, each running their own campaigns against different creators.\\n\\n## **Why your YouTube channel is worth more than you think**\\n\\nFor full-time creators, a YouTube channel isn\u2019t just a hobby, it\u2019s a business. It generates revenue through ads, sponsorships, and merchandise. And it all sits behind a single Google login that also controls your Gmail, Google Drive, and payment details.\\n\\nThat\u2019s what makes creators such attractive targets. Attackers who hijack a channel often rebrand it within minutes, typically to impersonate a cryptocurrency company, and use the existing audience to livestream scams. The original creator gets locked out and watches their years of work being used to defraud their own subscribers. \\n\\nA copyright strike is the perfect bait because it exploits the one thing creators fear most: losing their channel overnight.\\n\\n## **\u201cCheck your Youtube copyright status instantly\u201d**\\n\\nThe campaign runs from a site called `dmca-notification[.]info`. The browser tab reads \u201cYoutube | Copyright strikes,\u201d and the page itself looks clean and professional, complete with YouTube logo, search bar, and helpful instructions. \\n\\n\\n\\nIt invites you to enter your channel name, @handle, or video link to check your copyright status. Nothing about it stands out as immediately suspicious. \\n\\nEach phishing link includes the target’s channel handle directly in the URL, so the page already knows who you are before you type anything. \\n\\nThe source code contains a tracking flag called `suppressTelegramVisit`, which changes how visits are logged depending on whether an affiliate parameter is present. This suggests the operators may be coordinating traffic through Telegram, although the kit could be distributed through any platform.\\n\\n## **Your own videos, used against you**\\n\\n\\n\\nOnce the page has your channel name, it fetches real data from YouTube: your avatar, subscriber count, video count, and your most recent upload (including its title, thumbnail, and view count). That information is then used to build a fake copyright complaint.\\n\\nYou see your own branding alongside a claim that a specific segment of your latest video has been flagged for copyright infringement. The timestamps are dynamically generated for each victim based on the video\u2019s length, making each notice look unique and legitimate. It\u2019s similar to receiving a fake legal notice that includes your real home address. The personal details make it harder to dismiss as spam.\\n\\n## **\u201cRespond within three days or face enforcement actions\u201d**\\n\\n\\n\\nThe page piles on the pressure. A warning tells you that deleting the video won\u2019t remove the strike. A red notice threatens that if you don\u2019t respond within three days, your channel will face enforcement actions. The proposed fix is simple: sign in with Google to verify you\u2019re the channel owner, and the claim will be resolved within 24 hours.\\n\\nEvery element on the page is designed to push you toward the \u201cLogin via Google\u201d button before you stop to think.\\n\\n## **The sign-in page that steals your account**\\n\\nWhen you click that button, the site contacts its own backend server to fetch the address of an external phishing page, one that the attacker can swap out to a new domain at any time. \\n\\nIn observed traffic, the request to `\/api\/get-active-domain` returned the domain `blacklivesmattergood4[.]com`, which was then loaded inside a full-screen overlay on top of the copyright notice page.\\n\\nWhat appears next is a classic Browser-in-the-Browser attack: a fake Chrome pop-up rendered entirely in HTML and CSS. It includes a title bar reading \\”Sign in – Google Accounts – Google Chrome,\\” a padlock icon, and a URL that looks like `accounts.google.com`. None of it is real. They’re all just graphics. The only real address bar is the one at the top of your actual browser, which still shows `dmca-notification[.]info`.\\n\\nInside the fake window sits a convincing replica of Google’s sign-in page. It looks exactly like the real thing, but every keystroke goes to the attacker. \\n\\n\\n\\nTraffic capture also showed attempts to contact additional domains\u2014`dopozj[.]net`, `ec40pr[.]net`, and `xddlov[.]net`\u2014which returned 502 errors at the time of capture. These may be backup infrastructure or credential relay servers that were offline.\\n\\nThe rotating-domain approach is what makes this campaign resilient. The phishing domain is fetched in real time with no caching, allowing attackers to rotate infrastructure quickly. If one domain is taken down, the next victim is sent to a new one.\\n\\nOnce credentials are entered, the overlay closes and the victim is returned to the copyright notice page with no confirmation or error . It gives the attacker time to use the stolen credentials before the victim realizes anything happened.\\n\\n## **Big channels get a free pass (on purpose**)\\n\\nOne interesting detail: the kit checks whether the target channel has more than three million subscribers. If it does, the entire phishing flow is skipped. Instead of the copyright strike warning and login button, the page shows a benign message: \u201cYour channel is in good standing. No further action is needed.\u201d\\n\\nThis is almost certainly an evasion tactic. Very large channels are more likely to have dedicated security teams, relationships with YouTube\u2019s trust and safety staff, or the visibility to trigger a rapid takedown if they publicly report the scam. By automatically exempting them, the kit reduces the risk of drawing attention from exactly the people most capable of getting the operation shut down. \\n\\n## **Not just one scammer**\\n\\nThe source code reveals that this isn’t a single phishing page run by one person. The kit includes an affiliate tracking system where each attacker gets their own ID embedded in the phishing links they send out. A central backend tracks which operator delivered which victim and how far each target got through the funnel. Our traffic capture confirms this: the phishing link included a referral ID (`ref=huyznaetdmca`), the default affiliate tag, which appears to be a transliteration of a Russian phrase. Brand names like Google and YouTube are also written with lookalike Cyrillic characters in the source code to evade automated security scanners.\\n\\nIn short, this is phishing-as-a-service: a shared platform that multiple attackers can use to run campaigns against YouTube creators at scale.\\n\\n## **How to protect yourself**\\n\\nThis campaign is a reminder that phishing has moved far beyond badly spelled emails from a Nigerian prince. Today\u2019s phishing kits are professionally engineered platforms with rotating infrastructure, real-time personalization, and franchise-style distribution. \\n\\n**For YouTube creators, the key rule is simple: copyright strikes only appear in YouTube Studio.**\\n\\nIf you get a warning anywhere else, treat it as suspicious.\\n\\n * Be wary of urgency. Real copyright processes don\u2019t rush you into action\\n * Go directly to studio.youtube.com or through trusted channels to check your status\\n * Never sign in through a link in an email or message\\n\\n\\n\\n**Spot a fake browser window**\\n\\n * Try dragging it: A real window moves freely. A fake one is stuck inside the page\\n * Minimize your browser: A real pop-up stays open. A fake one disappears\\n * Check the URL: If you can\u2019t interact with it, it\u2019s just an image\\n\\n\\n\\nEven if everything looks right, always check the actual address bar before entering your username and password.\\n\\n**If you\u2019ve already entered your details, act quickly:**\\n\\n * Change your Google password immediately\\n * Revoke active sessions in your account security settings\\n * Check your YouTube channel for unauthorized changes\\n\\n\\n\\n## **Indicators of Compromise (IOCs)**\\n\\n**Domain**\\n\\n * `dmca-notification[.]info` (primary phishing site)\\n * `blacklivesmattergood4[.]com` (credential harvesting domain \u2014 active at time of capture)\\n * `dopozj[.]net` (associated infrastructure \u2014 502 at time of capture)\\n * `ec40pr[.]net` (associated infrastructure \u2014 502 at time of capture)\\n * `xddlov[.]net` (associated infrastructure \u2014 502 at time of capture)\\n\\n\\n\\n* * *\\n\\n**We don ‘t just report on scams\u2014we help detect them**\\n\\nCybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we\u2019ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.”,”published”:”2026-04-15T13:21:25″,”modified”:”2026-04-15T13:21:25″,”type”:”malwarebytes”,”title”:”Fake YouTube copyright notices can steal your Google login”,”source”:””,”references”:””,”id”:”MALWAREBYTES:33AD7722F2C472C7E0CE383864597731″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2026\/04\/fake-youtube-copyright-notices-can-steal-your-google-login”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-15T14:10:17″,”description”:”A convincing phishing campaign is going after YouTube creators, and if it works, attackers don’t just steal your Google login. They can take over your…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-47201","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n