Not Just Governments Hacking Your Computers Via YouTube Videos; Malicious Ads Found On Popular Videos

from the danger-danger dept

Over the summer, a research report came out detailing how "lawful intercept" offerings from Hacking Team and FinFisher could be used to hack computers via YouTube videos. YouTube quickly closed the vulnerability that enabled this (a man-in-the-middle attack on non-SSL'd videos), but it appears that criminals are still figuring out ways to use YouTube videos to hack your computer. The latest trick: exploiting ads on popular YouTube videos:
This was a worrying development: not only were malicious ads showing up on YouTube, they were on videos with more than 11 million views – in particular, a music video uploaded by a high-profile record label.

The ads we’ve observed do not directly lead to malicious sites from YouTube. Instead, the traffic passes through two advertising sites, suggesting that the cybercriminals behind this campaign bought their traffic from legitimate ad providers.

In order to make their activity look legitimate, the attackers used the modified DNS information of a Polish government site. The attackers did not compromise the actual site; instead they were able to change the DNS information by adding subdomains that lead to their own servers. (How they were able to do this is unclear.)

The traffic passes through two redirection servers (located in the Netherlands) before ending up at the malicious server, located in the United States.
The target here: computers using Internet Explorer (based on our stats, this means that most of the people reading this site were safe from this particular attack). Once again, we see how scammers are using traditional ad networks to do nefarious things. And yet publishers still wonder why so many people decide to use ad blockers.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: ads, malicious ads, scammers, videos, youtube
Companies: google


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Ninja (profile), 17 Oct 2014 @ 7:27am

    The target here: computers using Internet Explorer

    So it's an attack on users already using malware. On math two minuses equal a plus so all is good. /derp

    link to this | view in thread ]

  2. icon
    John Fenderson (profile), 17 Oct 2014 @ 9:16am

    DNS Spoofing

    instead they were able to change the DNS information by adding subdomains that lead to their own servers. (How they were able to do this is unclear.)


    I assume that Trend Micro is trying to speak precisely and carefully here and that they mean they haven't proven how the attackers accomplished this. However, this sort of thing is almost always done through DNS cache poisoning: http://en.wikipedia.org/wiki/DNS_spoofing

    This is an architectural problem with DNS and is one of the primary reasons why we need DNSSEC so desparately.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 17 Oct 2014 @ 9:27am

    If my job would let me use something other than IE I would.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 17 Oct 2014 @ 9:29am

    Sounds like the criminals are using that golden shower key that the FBI director was talking about, or were they backdooring users instead.

    link to this | view in thread ]

  5. icon
    Dave Cortright (profile), 17 Oct 2014 @ 9:57am

    Glad I use an ad blocker

    link to this | view in thread ]

  6. icon
    OldGeezer (profile), 17 Oct 2014 @ 10:03am

    Re:

    One clue should be that recently IE had a breach so bad that the government had to issue warnings to use another browser. Explorer is only for people too stupid not to use it. Probably the same idiots that click on unknown email attachments, log in from a a phishing message and fill in their account number, social security and mother's maiden name.

    link to this | view in thread ]

  7. identicon
    Just Another Anonymous Troll, 17 Oct 2014 @ 10:09am

    Re: Re:

    "Explorer is only for people too stupid not to use it."
    Woah, woah, woah. That's uncalled for, man. Plenty of people use Internet Explorer and they are smart. For example, many people use IE to download Chrome or Firefox. That's a very smart thing to so.

    link to this | view in thread ]

  8. identicon
    PRMan, 17 Oct 2014 @ 10:15am

    Re:

    And people say I'm paranoid for running No(t)Script and SSL Everywhere. Sounds like it protected me from these YouTube ads.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 17 Oct 2014 @ 10:16am

    Not just ad blockers

    "And yet publishers still wonder why so many people decide to use ad blockers."

    Good point, but even that's not enough. I've resorted to a combination of firewall rules, HTTP proxy rules, and DNS RPZ in order to -- as much as possible -- make all advertising invisible from inside the network I operate. (Note that doing this at the network perimeter isn't for everyone, but that it does have the advantage of working no matter what users do.)

    The initial reason was just the annoyance, but the security and privacy risks have now become so massive that they make the original irritation trifling by comparison. The operators of ad networks have proven, over and over again, that they only care about stats and revenue and can't be bothered to police their own operations: so the heck with them, their traffic is no longer welcome here.

    link to this | view in thread ]

  10. icon
    OldGeezer (profile), 17 Oct 2014 @ 10:34am

    Re: Re: Re:

    For me that was when I was running Windows 95 and Explorer would get so many pop ups at one time it could lock your system.

    A while back a favorite site had a message that they were working to fix a hack. I couldn't see anything wrong at all but out of curiosity I tried it with Explorer. It redirected to a scare ware site with the phony scan telling me I had many dangerous viruses and trojans.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 17 Oct 2014 @ 10:35am

    They use the malware ads to steal peoples' credit card numbers and bank data and such, then use their stolen profits to buy even more malware ad placement.

    Just how much ad money is stolen money, anyway? Could the ad networks be charged with money laundering?

    link to this | view in thread ]

  12. icon
    Mason Wheeler (profile), 17 Oct 2014 @ 10:40am

    Re: Re:

    This isn't the first time, either. I remember fixing up a computer that a friend's family had had trashed by a virus. They were using IE, and the first thing I did once I had the system up and running was download and install Firefox for them. And I remember telling them that IE was one big security hole, and that the US Government had recently issued a warning against using it, and that you know something is truly filthy when even the government doesn't want to get contaminated by touching it!

    I don't remember exactly when this warning came out, but I do recall installing WinXP and downloading Service Pack 2, which was still pretty new, and Wikipedia says that came out in 2004. So... yeah.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 17 Oct 2014 @ 10:41am

    Re: DNS Spoofing

    We DO need DNSSEC, but it's not a panacea for this kind of attack: if those behind it actually had control of a delegated zone, then DNSSEC would just confirm its accuracy just as much as any other zone. (The wording make it unclear whether they really did attack the DNS zone at its source.)

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 17 Oct 2014 @ 11:06am

    This article illustrates precisely why I use ad blockers and will continue to do so. It's about personal security. I notice that lots of sites want to moan about ads being blocked and even going so far as to accuse surfers of stealing their income by blocking those ads, such as ARSTechnia tried years ago.

    I notice that if I get malware (rare) no one from the ad agencies or websites offer to send someone to clean up your computer. I won't be part of a one way deal like that. Since ad agencies won't keep their own houses clean, it's up to me to take care of it and I do.

    As long as it is a security issue, no ads will be displayed on my computer and I will move heaven and earth to remove any that manage to make it through.

    link to this | view in thread ]

  15. icon
    OldGeezer (profile), 17 Oct 2014 @ 11:16am

    Re: Re: Re:

    The warning I was referring to was recent, just a couple of months ago. I guess not much has changed.

    link to this | view in thread ]

  16. icon
    LduN (profile), 17 Oct 2014 @ 11:22am

    Re: Re:

    or you know, people that work at large corporations with sharepoint intranets, that are browsing from work instead of working.

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 17 Oct 2014 @ 11:47am

    so blocking ads is not only out of annoyance but SECURITY, i mean, come on, the nature of ads and getting one on a popular items, its to freaking obvious that this would lead to a drive for ad exploits

    link to this | view in thread ]

  18. icon
    John Fenderson (profile), 17 Oct 2014 @ 12:00pm

    Re: Re: DNS Spoofing

    Absolutely true. DNSSEC is really more like a hack. The security problems with DNS are architectural, and so they can't really be fixed without actually redesigning DNS. But it's not feasible to do that since it would mean all DNS servers and clients would have to be replaced.

    DNSSEC is a compromise, trying to bolt security onto the side. It's not a panacea, but it is much better than what we have right now.

    link to this | view in thread ]

  19. icon
    Avatar28 (profile), 17 Oct 2014 @ 12:30pm

    Re: Re:

    Or, you know, if you are using a Windows tablet. Chrome, Firefox, et al are pretty crappy trying to use them with touch.

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 17 Oct 2014 @ 12:39pm

    Firefox Adblock Edge, Better Privacy,Random Agent Spoofer, Disconnect , and vpn

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 17 Oct 2014 @ 1:52pm

    Third-party Javascript

    Most people say "just use NoScript", but even they don't quite get the real power of NoScript.

    Say you have a site you like a lot, let's call it, say, techdirt.com. It includes Javascript from several places all over the map (google, reddit, facebook, and so on). But you trust techdirt to trust these third parties, so you unblock them all in NoScript (Permanently Allow each one). You also whitelist it on your ad blocker.

    Now one of these third parties gets tricked to include Javascript from an attacker-controlled source. What happens? You never unblocked the attacker-controlled source, so it doesn't run.

    Here we have a very permissive use of NoScript (instead of the usual more paranoid way in which one only whitelists the third parties which are needed to not break the page), and yet, it was enough to get protected!

    The real power of NoScript is not blocking Javascript everywhere. The real power of NoScript is blocking Javascript from unknown domains.

    link to this | view in thread ]

  22. icon
    John Fenderson (profile), 17 Oct 2014 @ 2:07pm

    Re: Third-party Javascript

    "But you trust techdirt to trust these third parties, so you unblock them all in NoScript (Permanently Allow each one). You also whitelist it on your ad blocker."

    Ummm, what?? I do no such thing. Why in the world would I do that?

    "The real power of NoScript is not blocking Javascript everywhere. The real power of NoScript is blocking Javascript from unknown domains."

    Yes, this is one of the (many) really wonderful things that you can do with NoScript. But my favorite (at least, my favorite of the features I use all the time) is the ability to selectively block or allow specific scripts from the same domain. I don't have to allow all the scripts hosted on techdirt.com have the ability to run.

    Since this particular attack involves DNS spoofing, the ability to block scripts from unknown domains doesn't do much to stop the attack -- your browser erroneously believes that the scripts are coming from a known domain (presumably one that you "trust"). However, blocking all scripts and then allowing the specific ones that you care about, regardless of where they are coming from, is much more effective for this sort of thing.

    link to this | view in thread ]

  23. icon
    Watchit (profile), 17 Oct 2014 @ 2:33pm

    Every time I see someone using IE, it makes me a little more dead inside...

    link to this | view in thread ]

  24. icon
    That One Guy (profile), 17 Oct 2014 @ 3:02pm

    Re:

    If you think you've got it bad, think of what the poor computer has to go through with a security vulnerability like that on the system.

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 17 Oct 2014 @ 3:04pm

    I just read about a Google+ attack which allows access to a person's private cellphone photos backed up in Google's cloud. Similar to Apple's iCloud hack.

    "According to the researcher, a SOME attack on Google+ is similar to the recent iCloud data breach in which the private photographs of several celebrities were leaked online. In an attack scenario described by Hayak during his Black Hat presentation, the victim takes some photographs with his/her mobile phone, and the files are automatically backed up via Google's "Auto Backup" feature to a private location on Google+. The cybercriminal can use SOME to select all the photos from the target's Google+ account and send them to his own server simply by getting the victim to click on a link."

    http://www.securityweek.com/black-hat-europe-hijacking-clicks-same-origin-method-execution

    I'm scared to death about enabling javascript. Techdirt doesn't require javascript, not even to post comments. I love this site. :)

    link to this | view in thread ]

  26. identicon
    Anonymous Coward, 17 Oct 2014 @ 3:26pm

    Re: Third-party Javascript

    "But you trust techdirt to trust these third parties, so you unblock them all in NoScript (Permanently Allow each one). You also whitelist it on your ad blocker."

    Ummm, no. In fact: HELL no. That would be truly stupid.

    I rarely trust any site permanently, and most of the ones referenced by techdirt I don't even trust temporarily. I certainly don't whitelist anything in my ad blocker, ever.

    This doesn't reduce the attack surface to zero, of course, but that's why I do all the other things I do, including extensive firewalling and custom DNS handling. The idea isn't to close every possible hole -- that's nearly impossible with a reasonable budget -- but to try to asymptotically approach that goal, a little more every day.

    link to this | view in thread ]

  27. identicon
    Anonymous Coward, 18 Oct 2014 @ 1:08am

    Re: Third-party Javascript

    "But you trust techdirt to trust these third parties, so you unblock them all in NoScript (Permanently Allow each one). You also whitelist it on your ad blocker."

    Actually I put them into the untrustworthy category.

    link to this | view in thread ]

  28. identicon
    Anonymous Coward, 18 Oct 2014 @ 1:09am

    Re:

    You forgot RequestPolicy

    link to this | view in thread ]

  29. identicon
    Anonymous Coward, 18 Oct 2014 @ 8:49am

    "IE" == "Internet Exploder"

    Line your stroll down the Information SuperHighway with Improvised Exploding Devices (IEDs)!

    With a Linux/*BSD install disk, you won't even need IE to install a decent browser.

    link to this | view in thread ]

  30. icon
    Eldakka (profile), 19 Oct 2014 @ 5:18pm

    Re:

    This is why I don't auto-anything to a cloud service.

    If I upload something to a cloud storage locker, it is explicitly and knowingly done every single time.

    I try to avoid online cloud backup/storage as much as possible.

    If I need synchronisation/file sharing services, if its some random file I don't care about sure I'll use dropbox or whatever to share it out. If it's something I care about, I have a USB hard-drive attached to my router that I have secured (as far as is practical) that I can access from anywhere I can get a HTTPS connection.

    link to this | view in thread ]

  31. icon
    antidirt (profile), 20 Oct 2014 @ 11:51am

    Re:

    It's not that bad. I don't use it, but it's not that bad.

    link to this | view in thread ]

  32. icon
    John85851 (profile), 20 Oct 2014 @ 3:51pm

    Not everyone who uses IE is a dummt

    Before everyone gets all high and mighty about how only dummies use IE, consider this: there are hundreds of thousands (or maybe millions) of people who work in a corporate environment. Their computers are probably locked down so they can't install their own software or they may need approval from their IT department. They physically can't switch to Firefox or Chrome.

    Granted, they shouldn't be looking at YouTube during work hours anyway, but what if a big ad-network is compromised and people's work-related sites are affected? For example, suppose a programmer needs an answer on StackExchange and their ad-network is serving malware. Is the person still a "dummy" for using IE?

    How about putting the blame where it belongs: the ad company for allowing malware, the site for not knowing what the ad company is doing, and Microsoft for allowing IE to run malware in the first place. Or better yet, let's blame AdBlock for not making their software available for IE. ;)

    link to this | view in thread ]

  33. icon
    John Fenderson (profile), 21 Oct 2014 @ 8:26am

    Re: Not everyone who uses IE is a dummt

    "Is the person still a "dummy" for using IE?"

    No, the company is for requiring it.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.