February 25th, 2009

Malware campaign at YouTube uses social engineering tricks

Posted by Dancho Danchev @ 12:23 pm

Categories: Anti Virus, Browsers, Hackers, Malware, Passwords, Web 2.0

Tags: Security, Social Engineering, YouTube, Fake Video Codec, Rogue Security Software, PornTube, Dancho Danchev

Remember last month’s Google Video search results poisoning attack which was hijacking legitimate YouTube titles in order to acquire potential traffic coming from Google Video? Or the massive comment-spam attack on Digg.com?

It appears that the cybercriminals behind both of these campaigns aren’t giving up just yet, and are currently experimenting with a catchy social engineering attack at YouTube which is once again attempting to serve rogue security software under the disguise of a required media codec.

Here’s how the new campaign looks like.

This time their experiment relies on a new “visual social engineering vector”, a message “Click Here to Join the Club” or “Click Here for Free Porn” is embedded within the legitimate video, with a pointer enticing the user into clicking on the PornTube link right next to it. This novel approach slightly differs from previous campaigns involving fake YouTube sites, or the use of the very same malware links this time basically posted within the comments of a video.

The campaign does suffer from a major weakness, and that’s its adult content which YouTube has already — perhaps automatically — started removing. The fake codecs used in the campaign act as downloaders for rogue security software, with the cybercriminals earning revenue in the process. Moreover, not only are the Google Video, Digg.com’s and this latest campaign launched by the same attackers, but the malware campaigners behind them continue using highly toxic net blocks residing within the Latvian DATORU EXPRESS SERVISS Ltd (zlkon.lv), and the Dutch WORLDSTREAM DBM which makes them fairly easy to keep track of - at least for now.