Shadow Hog

@ShadowHog

he/him

Avatar by @DrDubz.
Banner by one of Colin Jackson, Rick Lodge, Steve Noake, or David Severn from Bubsy in: Fractured Furry Tales for the Atari Jaguar.

Shadow Hog @ShadowHog3/25/2023, 2:22 AM

Techokami @techokami

BlazeHedgehog @blazehedgehog3/3/2023, 8:14 AM

Back in December, I got an email from someone claiming to be Team Cherry, the developers of Hollow Knight. This "marketing liason" was offering me early access to the sequel/expansion, Silksong, to review.

A screencap of the Team Cherry website warning users of impersonators.

A friend with connections to the game press quickly pointed out that the real Team Cherry wasn't sending out early access review codes and that they were actually warning users about impersonators on their "Contact Us" form. The email I received was a scam from someone looking to infect me with malware and/or steal my identity. (I wrote a twitter thread about it here)

About a month later, as I was wrapping up work on my "Definitive way to Play Sonic Adventure 2" video, I received another email, this one claiming to be someone from Frontier Foundry asking to sponsor an upcoming video for the release of "Deliver Us Mars." I told them I already had a sponsor for the Sonic Adventure 2 video, and after I was done, I was planning on taking a holiday. They got weirdly pushy with me, saying I could "make a short video" and put the brand deal there. I was too busy finishing the SA2 video, so I ignored them and moved on.

Now another month later, I find myself finishing a quick little video and thinking about that Frontier Foundry offer again, but upon looking at it with fresh eyes, it also was a clear and obvious scam. Just like with the fake Team Cherry offer, the person isn't listed as an employee at Frontier Foundry, the email they sent the offer from seems to be a personal email address that doesn't match who they said they were, and the "Contract" they tried to force on me was a huge Google Drive zip file that was password protected to prevent me from seeing what was inside before I downloaded it. The fact that they were so pushy with me suddenly started making a lot more sense.

As icing on the cake, I tried to ask the person for proof of identity, and in the month+ since we last talked to each other, their email address has been forcibly closed by Gmail.

An image showing that this impersonator's email account has been closed or otherwise locked by Gmail.

If you're an up-and-coming content creator, please be careful and be aware of tactics like this. It's easy to get starstruck by the idea that you're special enough to get picked for a sponsorship deal or an exclusive beta, but always research WHO is sending you that email and NEVER be afraid to ask for proof of identity. Go over their heads and check with the employer they claim to be from if you need to.

Be smart, protect yourself, and stay safe out there.

#psa #warning #team cherry #hollow knight #frontier foundry #deliver us mars #phishing

BlazeHedgehog @blazehedgehog3/10/2023, 1:14 PM

Just got another one, this one claiming to be PR for Mundfish, developers of Atomic Heart.

An email claiming to be a PR manager at 'mundfish.info', even though the official website is mundfish.com

The email is attached to a .info site, registered through NameCheap. The official website is mundfish.com, and was registered via GoDaddy. I have already reported the .info site to NameCheap's legal department for investigation.

Note that they want to send me a script to read, which, like the Frontier Foundry Google Drive link, would probably be the malware infection vector. Again, having done actual brand sponsor deals now, I know exactly how this goes -- for my SNHU read, the brand worked through a dedicated management company that had a professional website setup that hosted stock footage for me to use in my ad read. They were adamant I wrote and personalized my own script.

Everything was above board and plainly visible. There were no password encrypted zip files. I always knew exactly what I was downloading. Nothing was ever hidden, suspicious, or aggressive.

I don't want to be paranoid, but, I'm also noting the fact this is from a "James" with no last name attached. The first two attempts gave me a last name, making it easy to look up and verify if they were an employee. By just saying "James" they can cast a much wider net and make it less obvious they aren't employed where they say they are. Given that these don't seem to be coming from an automated bot and are the work of a human person that seems to be targeting me with a specific angle, I do wonder if maybe they've seen my posts about this and are trying to make it harder to verify their identity.

That being said, according to LinkedIn, Mundfish does not employ even a single James.

Unlike the first two, where I wasn't really paying close attention and accidentally initiated a conversation with these people, I have no intention of replying to this doofus.

#psa #warning #mundfish #atomic heart #phishing

andi @mcc3/23/2023, 2:05 PM

3 weeks later

Thinking about these posts while reading this article

https://mybroadband.co.za/news/security/485013-linus-tech-tips-main-youtube-channel-hacked.html

"mybroadband" theorizes Linus Tech Tips was taken out in this exact way :(

#phishing

Lotte 'just an idiot' May @LotteMakesStuff3/24/2023, 1:44 PM

LTT is back, and confirmed it was exactly this kind of attack vector :/

https://youtu.be/yGXaAWbzl5A

Wow you 1000% called it @mcc

#phishing

You must log in to comment.

in reply to @mcc's post:

~@modulusshift3/23/2023, 2:38 PM

I don't think this is impossible, but goodness sake, Linus has a crew of like 40 people, why the heck is the person exploring sponsorships on a computer that has the YT stream key? Unless I'm seriously misunderstanding something. Shouldn't it be obvious those need to be different computers?

andi @mcc3/23/2023, 3:03 PM

My understanding is on YouTube there's only one key. I frequently hear YouTubers complaining about this, like that they want to hire someone to moderate their comments and add captions to videos and stuff but they can't do that kind of stuff without giving them full driver privileges to the account.

~@modulusshift3/23/2023, 3:13 PM

another classic "our entire field is bad at what we do, and if you rely on us, everyone will die" moment I guess :/

Setsune @Setsune3/23/2023, 2:55 PM

Absurd that for a channel that large, YouTube does not have some automatic stops built in. The article mentions the Advanced Protection Program, but just as standard "Suddenly changing the channel name and mass removing videos", especially above certain view counts, seems like pretty obvious red flags that should pump the brakes enough for staff to look at it. Especially for a scam that keeps happening over, and over, and over on YouTube.

andi @mcc3/23/2023, 3:02 PM

Yeah, seriously. Also, notice this quote in the article from Paul Hibbert, another YouTuber who was hacked in this way:

"'If a hacker is actually logged in as you using your cookies — which is what they did to me — they can use your existing login to go in and change all of your two-factor authentication without first providing a two-factor authentication key,' he said."

This seems… bad, maybe.

@gkrnours3/23/2023, 10:35 PM

One of my colleagues son's discord was hacked in a similar fashion. He was contacted by a friend, probably also hacked, claiming to have made a video game and asking to try it.

Looks like they target everyone, big and small.

Janine @pizzaforfree3/24/2023, 2:08 PM

LTT is back up, and, according to Linus in the latest video, this is exactly what happened. Phishers got a hold of a session token from one of their employees, and promptly dug in that way.