Group-IB, an international cybersecurity company and Skolkovo Foundation resident that specializes in cyberattack prevention, has discovered a new fraudulent scheme that exploits the popular streaming platform Twitch.

According to the company, scammers have been copying streams from popular gamers, adding banners that promise viewers a chance to win easy money, thus drawing unsuspecting users into fraudulent web resources where they lose their money and card data. Group-IB has warned Twitch about the threat.

Streaming platforms have increased in popularity during the pandemic and in the third quarter of 2020 Twitch accounted for around 91% of the world market in terms of broadcast hours. That amounts to 4.7 billion hours of video watched by Twitch users, according to data from Streamlabs and Stream Hatchet. Also, a record 206 million hours of video content was uploaded while the average number of visitors at any one time amounted to 1.5 million people; meanwhile, the average Twitch streamer earns between $2000-$10,000 a month.

The goal of one of the latest scams that CERT-GIB analytics revealed works as follows: fraudsters find channels belonging to popular streamers and make "clones" of these accounts. They then run broadcasts from popular streamers’ original channels that are perhaps a week old, but also include a banner that promises a means to make easy money, usually through a prize draw.

Image: Group-IB.

The core of this scam is that popular streamers with large followings have credibility, so an unsuspecting viewer that accidentally finds themselves on a “cloned” channel will be more likely to click on the banner. The Twitch channel community chat, where viewers can interact with one another, has also served as a place for scammers to post special commands (!inst in this case), sending users to the scam website.

The online scam then follows more traditional steps where the victim is offered up to $5000 for a “small commission” for the registration and transfer. The user enters his or her bank card details (number, owner name, date of expiry, CVV number), a small sum of money is then taken from the victim’s card and the scammer keeps the card details.

Image: Fraudulent Twitch channel with scam banner - "Win up to $5000 from Instagram !inst in chat."

One feature of Twitch, is that streamers with large followings will usually be at the top of the list of channels of a given category. This makes it challenging for new channels to gain popularity as they generally start out at the bottom of the list. The scammers overcame this obstacle using a “cheat service” which pushed the cloned channel up the list. To make the banner more convincing to users fake reviews were also posted about how much money they won, the process of getting the winnings, and offering advice on what banks to use.

“Popular services very often become targets for scammers and, in the case of streaming platforms, a fraudulent scheme offering easy money,” Alexander Kalinin, the head of CERT-GIB, warned. “Services need to improve the speed of detecting similar schemes and responding to them, as well as providing users with a simple mechanism to file complaints. Esports fans should regard offers of easy money with skepticism.”