With over 1 billion users, YouTube is one of the most visited sites on the web, but its incredible popularity is also drawing in criminals and viruses. Cyber criminals are always looking for new ways to exploit popular platforms, and YouTube is not an exception.
Recently, it was discovered that YouTube videos were serving up ads that contained the necessary precursors for an attacker to inject malware into a targeted machine. According to a Bromium Labs, the cyber criminals were leveraging holes in systems running Java, and if that was the case a Banking Trojan belonging to the Caphaw family was dropped locally onto the user’s computer. Another reason to keep your Java up to date.
Once a connection with the victim’s machine is established, the malware then tries to connect with domains which are likely based in Europe.
The YouTube malware ad was delivered in the following manner:
- User watches YouTube video
- User sees an appealing thumbnail embedded in and clicks on it to watch another video
- Once the thumbnail is clicked, the machine opens up the malware ad in the background (served by Google Ads)
- Malware then redirects the user to ‘foulpapers.com’
- The malicious website then serves up iFrames with the aecua.nl domain
- Aecua.nl then detects the system’s Java version and drops the malware onto the victim’s machine
Casual YouTubers may never even notice that their machine was the target of such an attack. Cyber criminals will often put some work into promoting their YouTube videos to make them seem legitimate and worth watching. A video containing such exploits may contain thousands or even hundreds of views, so it is only after the damage is done that one will notice his machine is infected.
As always, we advise everyone to take the necessary precautions to prevent such an attack by installing and updating their antivirus software. It is also recommended that people disable Java unless it is absolutely necessary for running verified/safe services and applications.