Fake YouTube Site Strikes Visitors With Three-Staged Attack


Security researchers have discovered a malicious website posing as a legitimate YouTube page that uses social engineering, drive-by downloads and ransomware to lock a visitor's machine in an attempt to extort money from the victim.

The attack site uses porn to lure victims but then combines the attacks, bringing a victims system to a grinding halt, said Jerome Segura, a senior security researcher at San Jose, Calif.-based Malwarebytes. In his analysis of the activity, Segura said all three stages are classic attacks designed to spread malware, hijack a victim's system and steal account credentials. Combining the attacks is out of the ordinary, he wrote.

"To me, the best attacks are those that are stealth and remain on a system for long periods of time," Segura wrote. "I wonder if the crooks behind this attack were just too greedy or perhaps wanted to test how good the 'conversion rates' would be."

[Related: Antivirus Firms: Whitelisting Malware For Law Enforcement Against Policy]

The attack begins when the site prompts a visitor to download and install a phony Flash Player update. Once downloaded, the victim's system is immediately locked up and rebooting is futile, Segura said. A phony porn archive then tricks visitors into downloading fake Windows Media videos that deliver additional malware to the victim's system.

The second stage is an HTML-based ransomware attack, which makes it difficult to shut down the browser. Using malicious JavaScript, an attempt to click away from the page will open a long line of frustrating pop-up messages, Segura said. The attack is similar to previously discovered FBI ransomware campaigns that display a phony violation message from law enforcement, demanding payment of a fine to remove the message.

The final stage is a stealthy infection that exploits an older browser Java plugin vulnerability. The delivered malware attempts to steal data.

Malicious code that attempts to lock up the browser or a victim's system has been a trending attack technique. Attackers had been tricking victims with fake antivirus software, but they have turned to browser-based hijacking because it has worked so well, said Aleks Gostev, chief security expert at Kaspersky Lab. In a recent interview with CRN, Gostev said the vast majority of attacks are being carried out by financially motivated cybercriminals attempting to steal credit card data and account credentials.

"Millions of people can be infected without complex malware," Gostev said. "There is no real need for sophisticated methods because the current methods are working well."

The latest threat report from McAfee also found that ransomware has been increasing. The number of new samples in the second quarter of 2013 was greater than 320,000, more than twice as many as the previous period, McAfee said.

Unlike fake antivirus software, which attempts to collect payment via credit card, ransomware uses anonymous payment services, making it more difficult for law enforcement and security researchers to track down, McAfee said. Citadel and other popular attack toolkits make it even easier to carry out ransomware attacks, the firm said.

Using a combination of attacks is a poor way to carry out a campaign because it makes it easier for antivirus software and network security appliances to detect a suspicious problem, said Malwarebytes' Segura. "This multipronged attack is not representative of what we would normally see in the wild," Segura wrote.

PUBLISHED AUG. 26, 2013