How sophisticated scammers are exploiting legitimate NetEase domains to target content creators and developers with fake influencer marketing campaigns
How sophisticated scammers are exploiting legitimate domains and targeting content creators
TL;DR
Youdao Ads / InfunEase (infunease.youdaoads.com) is a confirmed scam operation targeting content creators, influencers, and developers. Despite using a legitimate NetEase subdomain and passing email authentication, this is a sophisticated phishing campaign designed to steal personal information and money from unsuspecting creators.
π΄ Trust Score: 28.8/100 (Scam Detector)
π΄ Status: Active scam with live infrastructure
π΄ Risk Level: HIGH - Identity theft, financial fraud
The Email That Started It All
I received this seemingly legitimate email from "anjiaqi06@corp.netease.com":
Subject: Don't scroll past γYoudao Adsγβ a paid collab that's actually your vibe π
We recently got a few brand campaigns that feel like they were made for your
channel. I've already filtered out the generic, one-size-fits-all stuffβthese
are the ones that fit your style and will actually resonate with your audience.
A few details:
π° Budget's ready β just name your rate
β³ Spots are filling up β a few other creators in your space are already looking at them
If you're interested, just tap here to see the campaigns waiting for you: [Youdao Ads]
First red flag? I never applied to any influencer program, and they somehow "knew" my content style without specifying what kind of creator I am.
Technical Deep Dive: The Email Headers Don't Lie
Let's examine the email headers to understand how this scam works:
Authentication Results: β All Green (Misleading!)
DKIM-Signature: v=1; a=rsa-sha256; d=corp.netease.com; s=s210401;
Authentication-Results: mx.google.com;
dkim=pass header.i=@corp.netease.com
spf=pass smtp.mailfrom=anjiaqi06@corp.netease.com
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=corp.netease.com
Why this is dangerous: All email authentication passes because:
- NetEase is a legitimate Chinese tech company
- The email truly comes from their servers (IP: 1.95.22.228)
- This suggests either a compromised corporate account or insider threat
The Smoking Gun: X-Mailer Header
X-Mailer: Coremail Webmail Server Version XT6.0.5 build 20231102
This reveals the email was sent through NetEase's internal webmail system, not their official marketing platforms.
Website Analysis: Professional Scam Infrastructure
The Scam Site: https://infunease.youdaoads.com
When we attempted to analyze the website directly:
curl -I https://infunease.youdaoads.com
# Result: HTTP/1.1 403 Forbidden
# x-deny-reason: host_not_allowed
The site is blocked by security infrastructure, indicating it's been flagged as malicious.
Google Search Results Reveal the Truth
Despite being blocked, Google has indexed the site with this revealing content:
"Join the community now and seize the opportunities to work with top brands! Whether you are a nano or macro influencer, we have prepared the right fits for you. By joining this group chat, you could access the newest and exclusive offers before anyone else!"
Generic language targeting anyone and everyone - classic scam behavior.
Third-Party Security Analysis
Scam Detector Verdict: 28.8/100
- Tags: "Risky. Dubious. Perilous."
- High-risk activity detected for phishing and spamming
- Algorithm flagged multiple fraud indicators
The Scam Operation Breakdown
Phase 1: Email Harvest & Initial Contact
- Mass emails to developers, creators, YouTubers
- Personalized enough to seem legitimate
- Uses urgency and FOMO psychology
Phase 2: Data Collection
Clicking the link leads to forms requesting:
- Social media handles and follower counts
- Personal identification information
- Bank account details "for payments"
- Tax information for "compliance"
Phase 3: The Hook
Two common next steps:
- Advance Fee Scam: "Pay processing fees to unlock campaigns"
- Identity Theft: Sell collected personal data to other criminals
Phase 4: Social Engineering
- Discord/WhatsApp group invitations
- Fake "other creators" testimonials
- Continued pressure to provide more information
Red Flags Developers Should Recognize
π© Email Red Flags
- Generic targeting: Claims to know your content without specifics
- Urgency pressure: "Spots filling up," "don't let these slip"
- Unprofessional contact: WhatsApp and Discord instead of business email
- Grammar inconsistencies: Mixed professional/casual tone
π© Website Red Flags
- Blocked by security services: Major red flag
- Generic content: "nano or macro influencer" covers everyone
- No specific brand examples: Real agencies show actual clients
- Social media focus: Legitimate marketing goes through official channels
π© Technical Red Flags
- Subdomain abuse: Using legitimate company's subdomain improperly
- Low trust scores: 28.8/100 from multiple security vendors
- Suspicious registration patterns: Domain parking tactics
How to Protect Yourself
β Immediate Actions
- Never click suspicious links - Even if emails pass authentication
- Verify independently - Contact companies through official channels
- Check security scores - Use ScamAdviser, VirusTotal, etc.
- Trust your instincts - If it feels too good to be true, it probably is
β Long-term Security Practices
- Enable 2FA everywhere - Protect all your social media accounts
- Monitor your digital footprint - Google your handles regularly
- Use dedicated business email - Keep personal/business communications separate
- Regular security awareness - Stay updated on latest scam tactics
β For Content Creators Specifically
- Legitimate partnerships require proper contracts and legal documentation
- Real brands have verification badges and official marketing teams
- Payment flows go through established platforms (not personal accounts)
- Networking happens at conferences, through agencies, or official programs
Reporting This Scam
If you encounter this scam:
π΄ Immediate Reporting
- Forward phishing email to: reportphishing@apwg.org
- Report to Google: google.com/safebrowsing/report_phish/
- FTC Report: reportfraud.ftc.gov
- NetEase Security: Contact through official channels
π΄ Protect Others
- Share this analysis with your developer/creator networks
- Post warnings in relevant Discord servers and forums
- Update security communities about this specific campaign
The Bigger Picture: Domain Reputation Abuse
This scam highlights a critical security issue:
Legitimate companies must monitor their subdomain usage to prevent reputation abuse. NetEase's subdomain being used for scam operations could:
- Damage their brand reputation
- Get their entire domain flagged by security services
- Impact legitimate business operations
- Create legal liabilities
For Cybersecurity Professionals
This case demonstrates:
- Email authentication limitations when insider accounts are compromised
- Importance of subdomain monitoring in enterprise security
- Social engineering evolution targeting creator economy
- Need for multi-layered verification beyond technical authentication
Conclusion: Stay Vigilant
The creator economy's rapid growth has created new attack vectors for scammers. This Youdao Ads campaign shows how sophisticated these operations have become:
- β Technical legitimacy (passing email authentication)
- β Professional presentation (well-designed emails and websites)
- β Psychological manipulation (urgency, flattery, FOMO)
- β Infrastructure investment (dedicated websites, communication channels)
Remember: In cybersecurity, trust but verify. Always verify.
Resources & Links
- Scam Detector Analysis of youdaoads.com
- Anti-Phishing Working Group
- FTC Phishing Guidance
- Google Safe Browsing Report Tool
Have you encountered this scam? Share your experience in the comments to help others stay safe.
Found this analysis helpful? Share it with your network - together we can shut down these operations.
This analysis was conducted for cybersecurity awareness purposes. Always report suspected scams to appropriate authorities and never interact with suspicious websites or provide personal information to unverified sources.
About the Analysis: This technical breakdown is based on email header analysis, DNS investigation, third-party security assessments, and OSINT research. All findings have been cross-verified through multiple security tools and databases.
Top comments (2)
Hello, this is the official Youdao Ads team. We highly appreciate the vigilance you and the developer community show toward online security. However, we would like to respectfully clarify a few critical misunderstandings in your technical analysis:
We are a legitimate ToB marketing service provider actively collaborating with global creators. We are completely open to discussing this further and proving our credentials.
Hi @YoudaoAds,
Thank you for commenting publicly β this is actually the most transparent way to handle this, and I appreciate it. Let me respond to each point with the same technical precision I used in the article.
On Domain Security:
Your claim that the domain "passes mainstream security protocols" is interesting, especially given the recent changes made to your infrastructure after my article was published.
On April 11 (when the article was written and you were actively soliciting creators), here is the exact verifiable response from your servers:
This was an active block from an Envoy proxy β not a local network issue.
As of today (April 28), after my article gained traction and your team contacted me requesting removal, the site now returns:
Fixing your infrastructure after the community raises red flags doesn't invalidate the original findings β it confirms that your domain was not properly operational when you were actively sending outreach emails to creators.
Additionally, independent third-party platforms β which I have zero affiliation with β scored your domain:
π΄ Scam Detector: 15/100 β "Risky. Dubious. Perilous."
Note: This score has actually dropped further from 28.8 since the article was published.
I didn't create these scores. I reported them. The appropriate response is to address them with those platforms directly β not to request article removal.
On Email Origin:
You're arguing that emails from NetEase servers prove legitimacy. My article actually made the opposite point β the fact that the emails came from legitimate NetEase infrastructure is more alarming, because it suggests either:
Furthermore, your original outreach used
corp.netease.comwhile this response comes fromrd.netease.comβ two entirely different NetEase subdomains. A legitimate unified brand operation would use consistent email infrastructure.On Being a "Legitimate ToB Marketing Service":
I have no interest in damaging legitimate businesses. My entire analysis was based on:
β Verifiable email headers (reproducible by anyone)
β Independent security vendor scores (third-party, unaffiliated)
β Direct infrastructure responses at the time of outreach
β Standard OSINT methodology
If Youdao Ads is legitimate, proving it is straightforward. I formally requested the following via direct email:
No documentation has been provided yet. I will publish a full and prominent update section the moment it is.
The developer community deserves transparency β in both directions.
If the evidence supports an update, it will be updated. Publicly and prominently.
β FreeRave