A feature on YouTube that enables users to share videos with friends is being exploited by spammers to deliver junk mail, security experts said.
"YouTube users have a facility where they can invite their friends to view videos that they are looking at or have posted," said Bradley Anstis, director of product management of email security firm Marshal, which broke news of the spam campaign on Friday. "This effectively allows them to email to any address from their YouTube account. This is the functionality that the spammers are exploiting."
Anstis told SCMagazineUS.com today the attack is largely U.S.-based and is making up about one percent of all spam collected by Marshal. The company studies roughly 15 million spam messages each day delievered to its 40 honeypot accounts across the world.
The fraudsters place their spam messages in the form field meant for the sender to include a personal note for their friend, Graham Cluley, senior technology consultant for Sophos, told SCMagazineUS.com today.
The junk messages try to lure recipients to visit either a singles website or a site to retrieve a free copy of "Halo 3", an Xbox 360 video game, according to Marshal and Sophos.
Cluley said the campaign, which so far has been limited in scope, is unique.
"They're not using a zombie computer," he said. "They're not forging the entire email. In fact, they're not actually sending the email. YouTube is sending the email. (Spammers) are always looking for new ways to get their messages out."
The attack could be successful because the spam comes from a normally trusted source, experts said.
"The key purpose of attacking YouTube is to defeat spam filters and to lower the recipient's guard," according to a Marshal blog on the topic. "The spam comes from a big-name company, from an email address which may already be excluded from spam filtering."
YouTube, in its help section, actually encourages users who are not receiving shared videos from friends to make sure the "email@example.com" address is removed from their spam filters. All shared videos originate from that address.
Still, Cluley said he doubts the assault will result in a cash cow for spammers.
"It's not a convincing way to sell someone something," he said. "If you look at the screenshot (of the attack), it's not a clickable link. You have to type it in manually. I can't believe that many people who receive it will act on it. Of course, there are always people who will respond to spam campaigns."
Cluley said YouTube, acquired by Google last year for $1.65 billion, should implement a verification system that forces users to enter in code to prove they are human before they can share videos.
"The integrity and security of our site are top concerns at YouTube," a spokesman told SCMagazineUS.com in an email. "If we find a party is using our brand or site to facilitate spam, we will investigate and take action to prevent this from occurring."
Meanwhile, businesses must deploy anti-spam solutions that weed out messages containing unsolicited content, Cluley said.