Malicious YouTube ads lead to exploits, ransomware

In the last few months, Trend Micro researchers have been following a malvertising campaign that ended up affecting almost exclusively US users at the beat of more than 113,000 per month.

In the latest stage of the campaign, the criminals behind this campaign have concentrated their efforts on Youtube visitors, and have succeeded in making the ads appear on extremely popular videos.

ransomware

“The ads we’ve observed do not directly lead to malicious sites from YouTube. Instead, the traffic passes through two advertising sites, suggesting that the cybercriminals behind this campaign bought their traffic from legitimate ad providers,” the researchers noted.

“In order to make their activity look legitimate, the attackers used the modified DNS information of a Polish government site. The attackers did not compromise the actual site; instead they were able to change the DNS information by adding subdomains that lead to their own servers. (How they were able to do this is unclear.)”

The victims were ultimately redirected to a US-based server hosting the Sweet Orange exploit kit, which attempted to exploit a specific vulnerability in the visitors’ Internet Explorer browser.

The vulnerability in question has been patched last year, so users who keep their IE updated were not harmed. But those who didn’t were saddled with a variant of the relatively new and unsophisticated Kovter malware – ransomware that uses information taken from the users’ browser history to persuade them to pay up.

Google has been notified of the campaign, and has likely by now put a stop to it.

“But if there is one thing users should learn from this particular example, is that keeping their software updated is a great way to minimize the risk of their computers being compromised by generic malware,” said Dhanya Thakkar, Managing Director, India & SEA, Trend Micro.