Uncovering a long-lasting porn spam campaign on YouTube | (NSFW, maybe)
In December 2022 I stumbled upon an interesting YouTube comment-based campaign, which promoted a shady camgirl / porn website through a clever use of YouTube features. I screengrabbed some video evidence and took a quick look at the campaign, but I didn’t have time to allocate for this back then.
I had forgotten the whole thing until in late April 2023 I saw the same campaign still going strong, still using exactly the same vectors in YouTube, still promoting the same site.
And this time I took a closer look, going through the rabbit hole of sus af adult website promotion. For science!
Train by day, Joe Rogan podcast by night – all day
It all starts with the powerful Joe Rogan Experience. Although to much disappointment of his fans, the podcast went Spotify exclusive in 2020, but at least clips of the show are still published on YouTube. These few minute snippets regularly reach a couple of million views each. That’s a lot of eyeballs, many of which also read the (top) comments. That’s where we find out spam campaign.
This is a screenshot of a video I recorded in December 2022, roughly an hour after “An Apocalyptic Moment – JRE Toons” was published. A dozen or so (possibly more) of the top comments shared the same characteristics:
- profile pic of a woman in skimpy clothing
- profile name either something to draw your attention or a generic woman’s name
- and most baffling of all, the comments were exactly what you would expect to see for this video. They were not generic, on the contrary, if you’d not see the commenter names or profile pics, you couldn’t tell these apart from rest of the comments.
This lent credibility to the assumption I had at the time that the accounts in question were hijacked after they made those comments. That’s some rapid-fire account takeover work right there.
Now four months later as I revisited the video to see if those comments would still be up, this is what I found:
So, it looks like these accounts were stolen, and subsequently returned by YouTube to their original owners. For some reason all of them had lost Likes but could still be easily found among the top comments (although not among top 10 anymore).
There’s one major exception, however. This was the top comment when I recorded the video:
And when I looked for it now, this is what I found:
Looks like this account was taken over after I recorded my video, and the original owner either hasn’t been able to reclaim it or hasn’t bothered to do it. The comment lost some Likes again, but the account had gained 157 subscribers in return during these four months. Sex sells – and gets subs.
On YouTube mobile client, you can also conveniently check what other comments the account has left on the channel. This is another easy way to determine if an account has been created e.g., for a spamming purposes, or if it has been stolen. Clearly we can see that the latter has been the case here:
We need to go deeper
Clearly, the aim of these profile pics and names is to get thirsty guys to click on the profile. And when they do, this is what they saw in December:
All of them displayed a Playlist on their channel main page (side note: many don’t know this, but you can actually feature any public Playlist on your own channel) and had the same banner image.
Both recently published videos in the playlist (note: videos are from two different channels, possibly to increase the resilience of this campaign. More on this later.) point to video comments, which then finally direct the guys – who’ve gone this far down the rabbit hole – to the adult website.
Also, notice how the URL starts with “youtube.com”. Not sure if this is done to evade YouTube’s countermeasures and automatic link blocking, or to trick people into thinking this “livestream” is happening on YouTube. Possibly both.
Combat evolved
As said, I did stumble upon this same campaign now four months later. Some things have changed, but not all. Here are some of the top comments from “What’s Next for Tucker Carlson After Leaving Fox News“, a Joe Rogan Experience clip published April 27th:
So far it’s the same old same old. But when clicking through to those profiles, we can see some differences:
The shared Playlist is now gone, and instead banner images point to “About” section of the profile. Over there you can see the same link which is also overlaid on the banner image. Note that even though the banner images promote cute20[.]us, the links still point to cute18[.]us in both cases. And one does not simply go to cute18:
Looking at the two other examples, we can see that one of them still has the old Playlist tactic going on, while the other one is closer to the channels above:
The Playlist name has changed slightly, the video has been reuploaded with a new CTA text overlay, and it is likely published on a new channel. As you can see, the text on top of the video promotes cutegirl22[.]com which is the same site as promoted in December, but actually the links on both of these profiles’ About section and in this specific video point to yet-another-site.
(Side note: “Adira Allure” channel which hosts this unlisted video – and 0 public videos – was created February 4th, 2023. It has amassed 927 subscribers (why?!) and this video alone has, at the time of writing, 306K views. So even though there’s seemingly many hoops to hop through in this spam campaign, it has still gained some serious exposure. And of course, we don’t really know if there are other similar unlisted videos shared this way.)
Same YouTube redirect link trick in play, and hotgirls20[.]com further redirects to a site which “xPreameL★” also promotes on their channel page.
The final URL in a chain of redirects is bevzrv[.]unfamiliiardates[.]net – yes, a lot less sexy sounding site. It has a couple of different front pages which it rotates, but I’m not going to share those here.
Policy? Never heard of it.
Even though these spammers are using multiple layers in this scheme to eventually direct people off YouTube, everything they do is still covered and most definitely forbidden by YouTube’s External links policy. In fact, the fist bullet point of the policy covers all links to pornography. In addition, the policy lists the following:
This policy applies to video, audio, video descriptions, comments, pinned comments, live streams, and any other YouTube product or feature. Links can take any form that would direct a user to a site off YouTube, including: clickable urls, showing text of urls in videos or images, obfuscated urls (e.g., writing “dot com” instead of “.com”), verbally directing users to other sites via video or audio, or encouraging viewers to visit creator profiles or pages on other sites. Please note this is not a complete list.
So, unfortunately what YouTube does adequately and rather thoroughly prohibit in their policy, they’ve failed do develop the concrete countermeasures to deal enforce the policy. As far as I can tell, the system is mostly reliant on users’ reports, which are then automatically and manually (no idea how that split is managed) checked and dealt with accordingly.
Since this spam / promotion campaign has been going on for at least four months by now (and mostly unchanged, I must add), it’s clear that this system is not working. I can imagine that scaling countermeasures to cover the whole platform is an immense undertaking, especially since these people who are abusing the platform right now are doing it in rather smart ways. Some day I’d love to have a chat with YouTube’s engineers to hear how they’re tackling these issues.
Anyway, the best that we can do right now is to keep reporting these accounts to YouTube and hope that some day the odds in this cat-and-mouse game flips against the adversaries.
*** This is a Security Bloggers Network syndicated blog from Privacy & Security – Joel Latto authored by Joel Latto. Read the original post at: https://joellatto.com/2023/04/28/uncovering-a-long-lasting-porn-spam-campaign-on-youtube-nsfw-maybe/