YouTube Viewers Assaulted by Malicious Ad Ransomware Campaign

Written by

Security experts are warning that malicious ads have found their way onto YouTube, putting tens of millions of users potentially at risk from infection by the infamous Kovter ransomware.

Malvertising is nothing new, of course, and has become a much tried and tested method for attackers to redirect users visiting apparently legitimate websites to other sites containing malicious code.

However, YouTube has until now remained relatively unscathed.

Trend Micro warned of a new malicious ad campaign targeting users of the popular video platform, which has already hit 113,000 netizens in the US.

It’s almost exclusively targeted at the States, which accounts for 95.8% of incidents, followed by Japan (4%) and a long tail of other countries including Italy and Belgium.

More worrying still, the ads were obviously designed to do maximum damage, being placed on videos with at least 11 million views, Trend Micro fraud researcher Joseph Chen explained in a blog post.

“The ads we’ve observed do not directly lead to malicious sites from YouTube. Instead, the traffic passes through two advertising sites, suggesting that the cybercriminals behind this campaign bought their traffic from legitimate ad providers,” he added.

“In order to make their activity look legitimate, the attackers used the modified DNS information of a Polish government site. The attackers did not compromise the actual site; instead they were able to change the DNS information by adding subdomains that lead to their own servers. How they were able to do this is unclear.”

The traffic is redirected twice, through servers in the Netherlands, and then finally ends up at the malicious server, hosted appropriately enough in the US, said Chen.

The attack uses the “Sweet Orange” exploit kit, tapping vulnerabilities in Internet Explorer. Although the URL of the payload constantly changes, it always uses a subdomain on the aforementioned Polish government site, he added.

“The final payloads of this attack are variants of the KOVTER malware family, which are detected as TROJ_KOVTER.SM,” said Chen.

“This particular family is known for its use in various ransomware attacks, although they lack the encryption of more sophisticated attacks like Cryptolocker. The websites that TROJ_KOVTER.SM accesses in order to display the fake warning messages are no longer accessible.”

Microsoft patched the vulnerability exploited here back in September last year, so it is advised as always that users keep up to date with any security bulletins released by their software and operating system providers.

What’s hot on Infosecurity Magazine?