Not Just Governments Hacking Your Computers Via YouTube Videos; Malicious Ads Found On Popular Videos

from the danger-danger dept

Over the summer, a research report came out detailing how “lawful intercept” offerings from Hacking Team and FinFisher could be used to hack computers via YouTube videos. YouTube quickly closed the vulnerability that enabled this (a man-in-the-middle attack on non-SSL’d videos), but it appears that criminals are still figuring out ways to use YouTube videos to hack your computer. The latest trick: exploiting ads on popular YouTube videos:

This was a worrying development: not only were malicious ads showing up on YouTube, they were on videos with more than 11 million views ? in particular, a music video uploaded by a high-profile record label.

The ads we?ve observed do not directly lead to malicious sites from YouTube. Instead, the traffic passes through two advertising sites, suggesting that the cybercriminals behind this campaign bought their traffic from legitimate ad providers.

In order to make their activity look legitimate, the attackers used the modified DNS information of a Polish government site. The attackers did not compromise the actual site; instead they were able to change the DNS information by adding subdomains that lead to their own servers. (How they were able to do this is unclear.)

The traffic passes through two redirection servers (located in the Netherlands) before ending up at the malicious server, located in the United States.

The target here: computers using Internet Explorer (based on our stats, this means that most of the people reading this site were safe from this particular attack). Once again, we see how scammers are using traditional ad networks to do nefarious things. And yet publishers still wonder why so many people decide to use ad blockers.

Filed Under: , , , ,
Companies: google

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Not Just Governments Hacking Your Computers Via YouTube Videos; Malicious Ads Found On Popular Videos”

Subscribe: RSS Leave a comment
33 Comments
OldGeezer (profile) says:

Re: Re:

One clue should be that recently IE had a breach so bad that the government had to issue warnings to use another browser. Explorer is only for people too stupid not to use it. Probably the same idiots that click on unknown email attachments, log in from a a phishing message and fill in their account number, social security and mother’s maiden name.

OldGeezer (profile) says:

Re: Re: Re: Re:

For me that was when I was running Windows 95 and Explorer would get so many pop ups at one time it could lock your system.

A while back a favorite site had a message that they were working to fix a hack. I couldn’t see anything wrong at all but out of curiosity I tried it with Explorer. It redirected to a scare ware site with the phony scan telling me I had many dangerous viruses and trojans.

Mason Wheeler (profile) says:

Re: Re: Re:

This isn’t the first time, either. I remember fixing up a computer that a friend’s family had had trashed by a virus. They were using IE, and the first thing I did once I had the system up and running was download and install Firefox for them. And I remember telling them that IE was one big security hole, and that the US Government had recently issued a warning against using it, and that you know something is truly filthy when even the government doesn’t want to get contaminated by touching it!

I don’t remember exactly when this warning came out, but I do recall installing WinXP and downloading Service Pack 2, which was still pretty new, and Wikipedia says that came out in 2004. So… yeah.

John Fenderson (profile) says:

DNS Spoofing

instead they were able to change the DNS information by adding subdomains that lead to their own servers. (How they were able to do this is unclear.)

I assume that Trend Micro is trying to speak precisely and carefully here and that they mean they haven’t proven how the attackers accomplished this. However, this sort of thing is almost always done through DNS cache poisoning: http://en.wikipedia.org/wiki/DNS_spoofing

This is an architectural problem with DNS and is one of the primary reasons why we need DNSSEC so desparately.

Anonymous Coward says:

Re: DNS Spoofing

We DO need DNSSEC, but it’s not a panacea for this kind of attack: if those behind it actually had control of a delegated zone, then DNSSEC would just confirm its accuracy just as much as any other zone. (The wording make it unclear whether they really did attack the DNS zone at its source.)

John Fenderson (profile) says:

Re: Re: DNS Spoofing

Absolutely true. DNSSEC is really more like a hack. The security problems with DNS are architectural, and so they can’t really be fixed without actually redesigning DNS. But it’s not feasible to do that since it would mean all DNS servers and clients would have to be replaced.

DNSSEC is a compromise, trying to bolt security onto the side. It’s not a panacea, but it is much better than what we have right now.

Anonymous Coward says:

Not just ad blockers

“And yet publishers still wonder why so many people decide to use ad blockers.”

Good point, but even that’s not enough. I’ve resorted to a combination of firewall rules, HTTP proxy rules, and DNS RPZ in order to — as much as possible — make all advertising invisible from inside the network I operate. (Note that doing this at the network perimeter isn’t for everyone, but that it does have the advantage of working no matter what users do.)

The initial reason was just the annoyance, but the security and privacy risks have now become so massive that they make the original irritation trifling by comparison. The operators of ad networks have proven, over and over again, that they only care about stats and revenue and can’t be bothered to police their own operations: so the heck with them, their traffic is no longer welcome here.

Anonymous Coward says:

This article illustrates precisely why I use ad blockers and will continue to do so. It’s about personal security. I notice that lots of sites want to moan about ads being blocked and even going so far as to accuse surfers of stealing their income by blocking those ads, such as ARSTechnia tried years ago.

I notice that if I get malware (rare) no one from the ad agencies or websites offer to send someone to clean up your computer. I won’t be part of a one way deal like that. Since ad agencies won’t keep their own houses clean, it’s up to me to take care of it and I do.

As long as it is a security issue, no ads will be displayed on my computer and I will move heaven and earth to remove any that manage to make it through.

Anonymous Coward says:

Third-party Javascript

Most people say “just use NoScript”, but even they don’t quite get the real power of NoScript.

Say you have a site you like a lot, let’s call it, say, techdirt.com. It includes Javascript from several places all over the map (google, reddit, facebook, and so on). But you trust techdirt to trust these third parties, so you unblock them all in NoScript (Permanently Allow each one). You also whitelist it on your ad blocker.

Now one of these third parties gets tricked to include Javascript from an attacker-controlled source. What happens? You never unblocked the attacker-controlled source, so it doesn’t run.

Here we have a very permissive use of NoScript (instead of the usual more paranoid way in which one only whitelists the third parties which are needed to not break the page), and yet, it was enough to get protected!

The real power of NoScript is not blocking Javascript everywhere. The real power of NoScript is blocking Javascript from unknown domains.

John Fenderson (profile) says:

Re: Third-party Javascript

“But you trust techdirt to trust these third parties, so you unblock them all in NoScript (Permanently Allow each one). You also whitelist it on your ad blocker.”

Ummm, what?? I do no such thing. Why in the world would I do that?

“The real power of NoScript is not blocking Javascript everywhere. The real power of NoScript is blocking Javascript from unknown domains.”

Yes, this is one of the (many) really wonderful things that you can do with NoScript. But my favorite (at least, my favorite of the features I use all the time) is the ability to selectively block or allow specific scripts from the same domain. I don’t have to allow all the scripts hosted on techdirt.com have the ability to run.

Since this particular attack involves DNS spoofing, the ability to block scripts from unknown domains doesn’t do much to stop the attack — your browser erroneously believes that the scripts are coming from a known domain (presumably one that you “trust”). However, blocking all scripts and then allowing the specific ones that you care about, regardless of where they are coming from, is much more effective for this sort of thing.

Anonymous Coward says:

Re: Third-party Javascript

“But you trust techdirt to trust these third parties, so you unblock them all in NoScript (Permanently Allow each one). You also whitelist it on your ad blocker.”

Ummm, no. In fact: HELL no. That would be truly stupid.

I rarely trust any site permanently, and most of the ones referenced by techdirt I don’t even trust temporarily. I certainly don’t whitelist anything in my ad blocker, ever.

This doesn’t reduce the attack surface to zero, of course, but that’s why I do all the other things I do, including extensive firewalling and custom DNS handling. The idea isn’t to close every possible hole — that’s nearly impossible with a reasonable budget — but to try to asymptotically approach that goal, a little more every day.

Anonymous Coward says:

I just read about a Google+ attack which allows access to a person’s private cellphone photos backed up in Google’s cloud. Similar to Apple’s iCloud hack.

“According to the researcher, a SOME attack on Google+ is similar to the recent iCloud data breach in which the private photographs of several celebrities were leaked online. In an attack scenario described by Hayak during his Black Hat presentation, the victim takes some photographs with his/her mobile phone, and the files are automatically backed up via Google’s “Auto Backup” feature to a private location on Google+. The cybercriminal can use SOME to select all the photos from the target’s Google+ account and send them to his own server simply by getting the victim to click on a link.”

http://www.securityweek.com/black-hat-europe-hijacking-clicks-same-origin-method-execution

I’m scared to death about enabling javascript. Techdirt doesn’t require javascript, not even to post comments. I love this site. 🙂

Eldakka (profile) says:

Re: Re:

This is why I don’t auto-anything to a cloud service.

If I upload something to a cloud storage locker, it is explicitly and knowingly done every single time.

I try to avoid online cloud backup/storage as much as possible.

If I need synchronisation/file sharing services, if its some random file I don’t care about sure I’ll use dropbox or whatever to share it out. If it’s something I care about, I have a USB hard-drive attached to my router that I have secured (as far as is practical) that I can access from anywhere I can get a HTTPS connection.

John85851 (profile) says:

Not everyone who uses IE is a dummt

Before everyone gets all high and mighty about how only dummies use IE, consider this: there are hundreds of thousands (or maybe millions) of people who work in a corporate environment. Their computers are probably locked down so they can’t install their own software or they may need approval from their IT department. They physically can’t switch to Firefox or Chrome.

Granted, they shouldn’t be looking at YouTube during work hours anyway, but what if a big ad-network is compromised and people’s work-related sites are affected? For example, suppose a programmer needs an answer on StackExchange and their ad-network is serving malware. Is the person still a “dummy” for using IE?

How about putting the blame where it belongs: the ad company for allowing malware, the site for not knowing what the ad company is doing, and Microsoft for allowing IE to run malware in the first place. Or better yet, let’s blame AdBlock for not making their software available for IE. 😉

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...