Malicious ads being used on YouTube
YouTube is being used as a carrier for malicious ads, according to a blog post by Trend Micro. This is a recent development; previously malicious advertising targeted social media sites. Several of the videos with malicious ads had several million views. Un-patched versions of Internet Explorer are vulnerable.
Currently, the USA has been the country most affected by the campaign; 95.84% of all victims were located in the USA, according to Trend Micro. The blog post says that “The ads we’ve observed do not directly lead to malicious sites from YouTube.“ It goes on to say that “the traffic passes through two advertising sites, suggesting that the cybercriminals behind this campaign bought their traffic from legitimate ad providers.”
The attackers have set up sub domains from a Polish government site, which are then used to modify DNS lookups. At this stage, it is not known how the attackers were legally able to set up sub domains on a Polish government site, as there is no evidence that the site has been compromised.
The attack uses the Sweet Orange exploit kit; this exploit takes advantage of a bug in Internet Explorer that was patched by Microsoft in May 2013. Sweet Orange is also known to use exploits in Java and Flash. However, the YouTube campaign has only been observed to use the Internet Explorer vulnerability. An un-patched version of IE will download malware called TROJ_KOVTER.SM.
To guard against this type of attack, users should ensure that all software is kept up to date, with the latest patches installed. The Trend Micro blog post has additional details on the campaign.