Fake YouTube Copyright Alerts Target Creators in Massive Account Hijacking Campaign
A highly sophisticated phishing operation is utilizing hyper-personalized "copyright strike" warnings to bypass security instincts and seize full control of Google accounts and YouTube channels.
MOUNTAIN VIEW, CA — A new and alarmingly convincing phishing campaign is currently targeting YouTube creators, leveraging their greatest fear: the sudden loss of their channel. According to a technical analysis by Malwarebytes, attackers are sending fake copyright infringement notices that do more than just steal passwords — they facilitate a complete takeover of the victim’s Google ecosystem, including Gmail, Drive, and financial data.
The campaign, which operates from the domain dmca-notification[.]info, is noted for its unprecedented level of personalization. Unlike generic spam, these notices include the creator's real branding and specific video data, making the lure nearly indistinguishable from a legitimate YouTube communication.
The Architecture of the "Scare Page"
The attack begins with an email or message claiming a segment of the creator's latest video has been flagged. When the victim clicks the link, they are directed to a professional-looking "YouTube | Copyright strikes" portal.
The site dynamically pulls the target's actual channel data — including their profile picture, subscriber count, and most recent upload. To add a layer of forensic realism, the page even generates specific, fake timestamps for the alleged infringement based on the actual length of the creator's video. This level of detail makes the notice difficult for even tech-savvy users to dismiss.
The "Browser-in-the-Browser" Trap
The final stage of the theft occurs when the user clicks a "Login via Google" button to contest the strike. Instead of a new tab, the site generates a fake browser window inside the webpage. This window looks exactly like a standard Google sign-in prompt, complete with the correct fonts and UI elements.
However, every keystroke entered into this overlay is sent directly to an attacker-controlled backend server. Because the window is just a clever graphical element, traditional URL verification is bypassed. Once the credentials are harvested, the victim is silently redirected back to the notice page, often without realizing their account has already been compromised.
The CyberSignal Analysis
Signal 01 — The Professionalization of Phishing
This campaign represents the "professionalization" of social engineering. By moving away from bulk spam toward high-detail, data-driven impersonation, threat actors are successfully targeting high-value individuals like influencers and digital entrepreneurs. The "Signal" here is that public data (subscriber counts, handles, video lengths) is now being weaponized in real-time to build trust.
Signal 02 — The Death of the "Visual Check"
For years, users were taught to look for the "Google Sign-In" UI as a mark of safety. The use of the "Browser-in-the-Browser" (BitB) technique renders visual checks obsolete. Creators must pivot to a zero-trust navigation model: never sign in via a link provided in an alert. If a copyright strike is real, it will only appear within the official YouTube Studio dashboard.
