Pagoda Blog


Cryptolocker Being Spread Via YouTube Ads

August 26, 2014

CyberheistNews Vol 4, 34

Editor's Corner

 

VirusBulletin reported that cyber criminals now spread around Cryptolocker / CryptoWall via YouTube. Malware researchers Vadim Kotov and Rahul Kashyap discovered the cyber criminals purchase advertising space and use exploit kits to infect workstations. 

They ran into this while checking YouTube and website banners for situations where malware writers had in fact bought space to spread their malware on unpatched computers. The researchers wrote: "We conclude that ad networks could be leveraged to aid, or even be substituted for current exploit kits." 

YouTube Ad space turns out to be a cheap and efficient way to spread browser malware while using the powerful YouTube geo-targeting features. Unfortunately, this is a highly profitable criminal business model. The researchers stated there was very little advertising networks could do to prevent the attacks. Obviously YouTube (Google) is going to try hard but preventing this is not easy. 

Now, spreading malware via ad-networks in itself is nothing new. We have seen this since 2010 where scareware was promoted as "Free Security Scans" remember? The free scan found a host of "problems" and sold you a rip-off bogus AV product. Some of these same gangs have moved on to ransomware. 

What is new here is this: clicking on a thumbnail after the first video causes a redirect, an exploit kit located on a compromized website kicks in, finds a known unpatched vulnerability, and once found, executes ransomware code which locks all files and extorts $500. These exploit kits check for hundreds of known holes in mere seconds, so the "ad-network" threat just escalated to a much higher level. 

So, there are a few best-practice points to consider here. Patching end-user workstations as soon as possible gets higher importance, I would look at either blocking YouTube at the edge, and/or deploying ad blockers in your Internet filter or as a browser plug-ins, and of course, you guessed it, educate your users! Story at VirusBulletin:
https://www.virusbtn.com/blog/2014/08_15.xml

 

http://blog.knowbe4.com/bid/395207/CyberheistNews-Vol-4-34-Cryptolocker-Being-Spread-Via-YouTube-Ads




Return to Pagoda Blog Main Page