Attackers Add Curses to YouTube Comments

By Matthew Hines  |  Posted 2009-05-27 Print this article Print

Hackers and malware authors mastered the art of using social networking and Web 2.0 applications for purposes of ill-refute some time ago, but as with any breed of cyber-attack, when they've found a solid avenue to market, the criminals continue to hammer the same methods years after they've been discovered as users remain well behind the security research community in adjusting their habits to account for the ploys.

Over two years ago Harvard researcher Ben Edelmann unearthed the use of the comments section of YouTube by threatsters seeking to drive hordes of unsuspecting users to malware sites.

While they hadn't cracked the underpinnings of YouTube itself to deliver attacks to the masses, by posting eye-catching vids and then enticing viewers to continue through to their own sites in the comments section, they realized they could still tap into the massive viral value of the multimedia portal to forward their own efforts.

But despite the fact that Edelman and other experts were sounding the alarm to YouTube users to be on the lookout and watch where they follow links off of the site ages ago in Internet time, the tactic is still heavily in use and currently attached to tons of posts hosted on the ubiquitous video site, researchers contend.

According to a recent blog post authored by experts at PandaLabs, YouTube's comments and annotations features are currently being used to forward links to sites bearing loads of spam-inducing malware attacks.

In the blog, PandaLabs researcher Sean-Paul Correll said that an initial review of YouTube several days ago turned up over 30,000 individual links to such sites -- most of which advertised an adult-themed URL dubbed PornTube 2.0. You know, for those people who just didn't get enough of PornTube Version 1.

As a nod to the types of users they're trying to target, attackers appear to be going after people who search YouTube for adult content, Correll said. Among the common search terms attached to the suspicious posts are various pornographic words and the names of popular XXX movie stars.

In going after a porn-hungry audience with their efforts, the attackers are likely having even greater success than using more generalized topics, the expert contends, as they know these people are likely more willing to click through to their subsequent adult-themed handiwork.

"By targeting these keywords the cyber-criminals are able to optimize and improve their success rates by infecting those who are truly looking for pornographic material," Correll writes. "In this case, cyber-criminals aim to profit from human vulnerabilities and inherent curiosities."

Whatever your position on pornography may be, I think it's safe to say that sage observation stands on its own.

To help people scout out the attacks, the researcher points out that all of the malicious links to the spamware sites have brackets in between the " .com" portion of the involved comments.

"It's unclear if this is a temporary action done by the YouTube abuse team or if the criminals are just trying to evade detection," he said.

Ultimately, if people do click on the sites, they arrive at functioning XXX pages that attempt to secretly embed the malware on their computers.

In addition to adult content, the attack methodology is also being tied to YouTube comment-touted sites promising free anti-virus products, which of course also contain badware, PandaLabs said.

So, remember, just because you can trust one Web 2.0 site, or you think you can trust some of its users, doesn't mean you're not opening up yourself to attack via using their content, or more importantly following their offsite links.

Enjoy those videos.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel