Not Just Governments Hacking Your Computers Via YouTube Videos; Malicious Ads Found On Popular Videos
from the danger-danger dept
Over the summer, a research report came out detailing how "lawful intercept" offerings from Hacking Team and FinFisher could be used to hack computers via YouTube videos. YouTube quickly closed the vulnerability that enabled this (a man-in-the-middle attack on non-SSL'd videos), but it appears that criminals are still figuring out ways to use YouTube videos to hack your computer. The latest trick: exploiting ads on popular YouTube videos:This was a worrying development: not only were malicious ads showing up on YouTube, they were on videos with more than 11 million views – in particular, a music video uploaded by a high-profile record label.The target here: computers using Internet Explorer (based on our stats, this means that most of the people reading this site were safe from this particular attack). Once again, we see how scammers are using traditional ad networks to do nefarious things. And yet publishers still wonder why so many people decide to use ad blockers.
The ads we’ve observed do not directly lead to malicious sites from YouTube. Instead, the traffic passes through two advertising sites, suggesting that the cybercriminals behind this campaign bought their traffic from legitimate ad providers.
In order to make their activity look legitimate, the attackers used the modified DNS information of a Polish government site. The attackers did not compromise the actual site; instead they were able to change the DNS information by adding subdomains that lead to their own servers. (How they were able to do this is unclear.)
The traffic passes through two redirection servers (located in the Netherlands) before ending up at the malicious server, located in the United States.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: ads, malicious ads, scammers, videos, youtube
Companies: google
Reader Comments
Subscribe: RSS
View by: Time | Thread
So it's an attack on users already using malware. On math two minuses equal a plus so all is good. /derp
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Woah, woah, woah. That's uncalled for, man. Plenty of people use Internet Explorer and they are smart. For example, many people use IE to download Chrome or Firefox. That's a very smart thing to so.
[ link to this | view in chronology ]
Re: Re: Re:
A while back a favorite site had a message that they were working to fix a hack. I couldn't see anything wrong at all but out of curiosity I tried it with Explorer. It redirected to a scare ware site with the phony scan telling me I had many dangerous viruses and trojans.
[ link to this | view in chronology ]
Re: Re:
I don't remember exactly when this warning came out, but I do recall installing WinXP and downloading Service Pack 2, which was still pretty new, and Wikipedia says that came out in 2004. So... yeah.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
DNS Spoofing
I assume that Trend Micro is trying to speak precisely and carefully here and that they mean they haven't proven how the attackers accomplished this. However, this sort of thing is almost always done through DNS cache poisoning: http://en.wikipedia.org/wiki/DNS_spoofing
This is an architectural problem with DNS and is one of the primary reasons why we need DNSSEC so desparately.
[ link to this | view in chronology ]
Re: DNS Spoofing
[ link to this | view in chronology ]
Re: Re: DNS Spoofing
DNSSEC is a compromise, trying to bolt security onto the side. It's not a panacea, but it is much better than what we have right now.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Glad I use an ad blocker
https://chrome.google.com/webstore/detail/adblock/gighmmpiobklfepjocnamgkkbiglidom
[ link to this | view in chronology ]
Not just ad blockers
Good point, but even that's not enough. I've resorted to a combination of firewall rules, HTTP proxy rules, and DNS RPZ in order to -- as much as possible -- make all advertising invisible from inside the network I operate. (Note that doing this at the network perimeter isn't for everyone, but that it does have the advantage of working no matter what users do.)
The initial reason was just the annoyance, but the security and privacy risks have now become so massive that they make the original irritation trifling by comparison. The operators of ad networks have proven, over and over again, that they only care about stats and revenue and can't be bothered to police their own operations: so the heck with them, their traffic is no longer welcome here.
[ link to this | view in chronology ]
Just how much ad money is stolen money, anyway? Could the ad networks be charged with money laundering?
[ link to this | view in chronology ]
I notice that if I get malware (rare) no one from the ad agencies or websites offer to send someone to clean up your computer. I won't be part of a one way deal like that. Since ad agencies won't keep their own houses clean, it's up to me to take care of it and I do.
As long as it is a security issue, no ads will be displayed on my computer and I will move heaven and earth to remove any that manage to make it through.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Third-party Javascript
Say you have a site you like a lot, let's call it, say, techdirt.com. It includes Javascript from several places all over the map (google, reddit, facebook, and so on). But you trust techdirt to trust these third parties, so you unblock them all in NoScript (Permanently Allow each one). You also whitelist it on your ad blocker.
Now one of these third parties gets tricked to include Javascript from an attacker-controlled source. What happens? You never unblocked the attacker-controlled source, so it doesn't run.
Here we have a very permissive use of NoScript (instead of the usual more paranoid way in which one only whitelists the third parties which are needed to not break the page), and yet, it was enough to get protected!
The real power of NoScript is not blocking Javascript everywhere. The real power of NoScript is blocking Javascript from unknown domains.
[ link to this | view in chronology ]
Re: Third-party Javascript
Ummm, what?? I do no such thing. Why in the world would I do that?
"The real power of NoScript is not blocking Javascript everywhere. The real power of NoScript is blocking Javascript from unknown domains."
Yes, this is one of the (many) really wonderful things that you can do with NoScript. But my favorite (at least, my favorite of the features I use all the time) is the ability to selectively block or allow specific scripts from the same domain. I don't have to allow all the scripts hosted on techdirt.com have the ability to run.
Since this particular attack involves DNS spoofing, the ability to block scripts from unknown domains doesn't do much to stop the attack -- your browser erroneously believes that the scripts are coming from a known domain (presumably one that you "trust"). However, blocking all scripts and then allowing the specific ones that you care about, regardless of where they are coming from, is much more effective for this sort of thing.
[ link to this | view in chronology ]
Re: Third-party Javascript
Ummm, no. In fact: HELL no. That would be truly stupid.
I rarely trust any site permanently, and most of the ones referenced by techdirt I don't even trust temporarily. I certainly don't whitelist anything in my ad blocker, ever.
This doesn't reduce the attack surface to zero, of course, but that's why I do all the other things I do, including extensive firewalling and custom DNS handling. The idea isn't to close every possible hole -- that's nearly impossible with a reasonable budget -- but to try to asymptotically approach that goal, a little more every day.
[ link to this | view in chronology ]
Re: Third-party Javascript
Actually I put them into the untrustworthy category.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
"According to the researcher, a SOME attack on Google+ is similar to the recent iCloud data breach in which the private photographs of several celebrities were leaked online. In an attack scenario described by Hayak during his Black Hat presentation, the victim takes some photographs with his/her mobile phone, and the files are automatically backed up via Google's "Auto Backup" feature to a private location on Google+. The cybercriminal can use SOME to select all the photos from the target's Google+ account and send them to his own server simply by getting the victim to click on a link."
http://www.securityweek.com/black-hat-europe-hijacking-clicks-same-origin-method-execution
I'm scared to death about enabling javascript. Techdirt doesn't require javascript, not even to post comments. I love this site. :)
[ link to this | view in chronology ]
Re:
If I upload something to a cloud storage locker, it is explicitly and knowingly done every single time.
I try to avoid online cloud backup/storage as much as possible.
If I need synchronisation/file sharing services, if its some random file I don't care about sure I'll use dropbox or whatever to share it out. If it's something I care about, I have a USB hard-drive attached to my router that I have secured (as far as is practical) that I can access from anywhere I can get a HTTPS connection.
[ link to this | view in chronology ]
"IE" == "Internet Exploder"
With a Linux/*BSD install disk, you won't even need IE to install a decent browser.
[ link to this | view in chronology ]
Not everyone who uses IE is a dummt
Granted, they shouldn't be looking at YouTube during work hours anyway, but what if a big ad-network is compromised and people's work-related sites are affected? For example, suppose a programmer needs an answer on StackExchange and their ad-network is serving malware. Is the person still a "dummy" for using IE?
How about putting the blame where it belongs: the ad company for allowing malware, the site for not knowing what the ad company is doing, and Microsoft for allowing IE to run malware in the first place. Or better yet, let's blame AdBlock for not making their software available for IE. ;)
[ link to this | view in chronology ]
Re: Not everyone who uses IE is a dummt
No, the company is for requiring it.
[ link to this | view in chronology ]