The malicious pages claim to contain a “hot video” associated with the Gulf oil spill, NBA Playoffs, Harry Potter and other popular topics, Patrick Walsh, CTO at eSoft, told SCMagazineUS.com on Wednesday. The spoofed pages appear legitimate and even contain a YouTube logo.
Attempting to play the video on one of the bogus pages causes a pop-up to appear informing users they need to download and install a media codec, Lee Graves, threat communications specialist at eSoft, told SCMagazineUS.com on Wednesday. Clicking “OK” to install the codec causes a user's browser to be redirected through several intermediary sites before landing on a final malware distribution site.
“We have seen a couple different things they are distributing, one being rogue AV [anti-virus] programs, another is a downloader trojan,” Graves said.
The trojan, which could be used to steal information from a victim's machine, or use it to send spam, was detected by just eight of the top 41 AV scanners on Monday.
The spoofed YouTube pages are propagating via poisoned search results, researchers said. Attackers utilized search-engine optimization tactics to cause their malicious pages to rank near the top of the results when a user searches for “gulf oil spill pictures” or other popular topics. These types of attacks are not at all uncommon, as opportunists often poison search results relating to newsworthy events.eSoft researchers first detected the campaign on Friday, and at that time, detected 135,000 spoofed YouTube pages. By Tuesday, the number of spoofed pages dropped to just 12 before soaring to some 700,000 on Wednesday, far exceeding previous totals.
“It seems there is a back-and-forth going on, it's sort of an arms race [between the cybercriminals and the search engines],” Walsh said.
Attackers behind the scam are leveraging the popularity and trust of the YouTube brand, researchers said.
“By faking YouTube, you make the site look legitimate and trustworthy and you are more likely to get people to say ‘OK' to install stuff,” Walsh said.
A YouTube spokesman told SCMagazineUS.com in an email Wednesday that the company never forces users to download players or plug-ins.
“We are aware that there is a malware threat from fake websites posing as YouTube and inviting users to download a plug-in to watch a YouTube Video,” the spokesman said. “We take misuse of our [trade]mark very serious, and take appropriate actions. Our goal is to make the user's online video experience as easy and fast as possible.”
As a precaution, users should always check the URLs of sites they are visiting, the spokesman added.