Not Just Governments Hacking Your Computers Via YouTube Videos; Malicious Ads Found On Popular Videos
from the danger-danger dept
Over the summer, a research report came out detailing how “lawful intercept” offerings from Hacking Team and FinFisher could be used to hack computers via YouTube videos. YouTube quickly closed the vulnerability that enabled this (a man-in-the-middle attack on non-SSL’d videos), but it appears that criminals are still figuring out ways to use YouTube videos to hack your computer. The latest trick: exploiting ads on popular YouTube videos:
This was a worrying development: not only were malicious ads showing up on YouTube, they were on videos with more than 11 million views ? in particular, a music video uploaded by a high-profile record label.
The ads we?ve observed do not directly lead to malicious sites from YouTube. Instead, the traffic passes through two advertising sites, suggesting that the cybercriminals behind this campaign bought their traffic from legitimate ad providers.
In order to make their activity look legitimate, the attackers used the modified DNS information of a Polish government site. The attackers did not compromise the actual site; instead they were able to change the DNS information by adding subdomains that lead to their own servers. (How they were able to do this is unclear.)
The traffic passes through two redirection servers (located in the Netherlands) before ending up at the malicious server, located in the United States.
The target here: computers using Internet Explorer (based on our stats, this means that most of the people reading this site were safe from this particular attack). Once again, we see how scammers are using traditional ad networks to do nefarious things. And yet publishers still wonder why so many people decide to use ad blockers.
Filed Under: ads, malicious ads, scammers, videos, youtube
Companies: google
Comments on “Not Just Governments Hacking Your Computers Via YouTube Videos; Malicious Ads Found On Popular Videos”
The target here: computers using Internet Explorer
So it’s an attack on users already using malware. On math two minuses equal a plus so all is good. /derp
Re: Re:
One clue should be that recently IE had a breach so bad that the government had to issue warnings to use another browser. Explorer is only for people too stupid not to use it. Probably the same idiots that click on unknown email attachments, log in from a a phishing message and fill in their account number, social security and mother’s maiden name.
Re: Re: Re:
“Explorer is only for people too stupid not to use it.”
Woah, woah, woah. That’s uncalled for, man. Plenty of people use Internet Explorer and they are smart. For example, many people use IE to download Chrome or Firefox. That’s a very smart thing to so.
Re: Re: Re: Re:
For me that was when I was running Windows 95 and Explorer would get so many pop ups at one time it could lock your system.
A while back a favorite site had a message that they were working to fix a hack. I couldn’t see anything wrong at all but out of curiosity I tried it with Explorer. It redirected to a scare ware site with the phony scan telling me I had many dangerous viruses and trojans.
Re: Re: Re:
This isn’t the first time, either. I remember fixing up a computer that a friend’s family had had trashed by a virus. They were using IE, and the first thing I did once I had the system up and running was download and install Firefox for them. And I remember telling them that IE was one big security hole, and that the US Government had recently issued a warning against using it, and that you know something is truly filthy when even the government doesn’t want to get contaminated by touching it!
I don’t remember exactly when this warning came out, but I do recall installing WinXP and downloading Service Pack 2, which was still pretty new, and Wikipedia says that came out in 2004. So… yeah.
Re: Re: Re: Re:
The warning I was referring to was recent, just a couple of months ago. I guess not much has changed.
Re: Re: Re:
or you know, people that work at large corporations with sharepoint intranets, that are browsing from work instead of working.
Re: Re: Re:
Or, you know, if you are using a Windows tablet. Chrome, Firefox, et al are pretty crappy trying to use them with touch.
Re: Re:
And people say I’m paranoid for running No(t)Script and SSL Everywhere. Sounds like it protected me from these YouTube ads.
DNS Spoofing
I assume that Trend Micro is trying to speak precisely and carefully here and that they mean they haven’t proven how the attackers accomplished this. However, this sort of thing is almost always done through DNS cache poisoning: http://en.wikipedia.org/wiki/DNS_spoofing
This is an architectural problem with DNS and is one of the primary reasons why we need DNSSEC so desparately.
Re: DNS Spoofing
We DO need DNSSEC, but it’s not a panacea for this kind of attack: if those behind it actually had control of a delegated zone, then DNSSEC would just confirm its accuracy just as much as any other zone. (The wording make it unclear whether they really did attack the DNS zone at its source.)
Re: Re: DNS Spoofing
Absolutely true. DNSSEC is really more like a hack. The security problems with DNS are architectural, and so they can’t really be fixed without actually redesigning DNS. But it’s not feasible to do that since it would mean all DNS servers and clients would have to be replaced.
DNSSEC is a compromise, trying to bolt security onto the side. It’s not a panacea, but it is much better than what we have right now.
If my job would let me use something other than IE I would.
Sounds like the criminals are using that golden shower key that the FBI director was talking about, or were they backdooring users instead.
Glad I use an ad blocker
If you block the ads, you can’t be compromised, right?
https://chrome.google.com/webstore/detail/adblock/gighmmpiobklfepjocnamgkkbiglidom
Not just ad blockers
“And yet publishers still wonder why so many people decide to use ad blockers.”
Good point, but even that’s not enough. I’ve resorted to a combination of firewall rules, HTTP proxy rules, and DNS RPZ in order to — as much as possible — make all advertising invisible from inside the network I operate. (Note that doing this at the network perimeter isn’t for everyone, but that it does have the advantage of working no matter what users do.)
The initial reason was just the annoyance, but the security and privacy risks have now become so massive that they make the original irritation trifling by comparison. The operators of ad networks have proven, over and over again, that they only care about stats and revenue and can’t be bothered to police their own operations: so the heck with them, their traffic is no longer welcome here.
They use the malware ads to steal peoples’ credit card numbers and bank data and such, then use their stolen profits to buy even more malware ad placement.
Just how much ad money is stolen money, anyway? Could the ad networks be charged with money laundering?
This article illustrates precisely why I use ad blockers and will continue to do so. It’s about personal security. I notice that lots of sites want to moan about ads being blocked and even going so far as to accuse surfers of stealing their income by blocking those ads, such as ARSTechnia tried years ago.
I notice that if I get malware (rare) no one from the ad agencies or websites offer to send someone to clean up your computer. I won’t be part of a one way deal like that. Since ad agencies won’t keep their own houses clean, it’s up to me to take care of it and I do.
As long as it is a security issue, no ads will be displayed on my computer and I will move heaven and earth to remove any that manage to make it through.
so blocking ads is not only out of annoyance but SECURITY, i mean, come on, the nature of ads and getting one on a popular items, its to freaking obvious that this would lead to a drive for ad exploits
Firefox Adblock Edge, Better Privacy,Random Agent Spoofer, Disconnect , and vpn
Re: Re:
You forgot RequestPolicy
Third-party Javascript
Most people say “just use NoScript”, but even they don’t quite get the real power of NoScript.
Say you have a site you like a lot, let’s call it, say, techdirt.com. It includes Javascript from several places all over the map (google, reddit, facebook, and so on). But you trust techdirt to trust these third parties, so you unblock them all in NoScript (Permanently Allow each one). You also whitelist it on your ad blocker.
Now one of these third parties gets tricked to include Javascript from an attacker-controlled source. What happens? You never unblocked the attacker-controlled source, so it doesn’t run.
Here we have a very permissive use of NoScript (instead of the usual more paranoid way in which one only whitelists the third parties which are needed to not break the page), and yet, it was enough to get protected!
The real power of NoScript is not blocking Javascript everywhere. The real power of NoScript is blocking Javascript from unknown domains.
Re: Third-party Javascript
“But you trust techdirt to trust these third parties, so you unblock them all in NoScript (Permanently Allow each one). You also whitelist it on your ad blocker.”
Ummm, what?? I do no such thing. Why in the world would I do that?
“The real power of NoScript is not blocking Javascript everywhere. The real power of NoScript is blocking Javascript from unknown domains.”
Yes, this is one of the (many) really wonderful things that you can do with NoScript. But my favorite (at least, my favorite of the features I use all the time) is the ability to selectively block or allow specific scripts from the same domain. I don’t have to allow all the scripts hosted on techdirt.com have the ability to run.
Since this particular attack involves DNS spoofing, the ability to block scripts from unknown domains doesn’t do much to stop the attack — your browser erroneously believes that the scripts are coming from a known domain (presumably one that you “trust”). However, blocking all scripts and then allowing the specific ones that you care about, regardless of where they are coming from, is much more effective for this sort of thing.
Re: Third-party Javascript
“But you trust techdirt to trust these third parties, so you unblock them all in NoScript (Permanently Allow each one). You also whitelist it on your ad blocker.”
Ummm, no. In fact: HELL no. That would be truly stupid.
I rarely trust any site permanently, and most of the ones referenced by techdirt I don’t even trust temporarily. I certainly don’t whitelist anything in my ad blocker, ever.
This doesn’t reduce the attack surface to zero, of course, but that’s why I do all the other things I do, including extensive firewalling and custom DNS handling. The idea isn’t to close every possible hole — that’s nearly impossible with a reasonable budget — but to try to asymptotically approach that goal, a little more every day.
Re: Third-party Javascript
“But you trust techdirt to trust these third parties, so you unblock them all in NoScript (Permanently Allow each one). You also whitelist it on your ad blocker.”
Actually I put them into the untrustworthy category.
Every time I see someone using IE, it makes me a little more dead inside…
Re: Re:
If you think you’ve got it bad, think of what the poor computer has to go through with a security vulnerability like that on the system.
Re: Re:
It’s not that bad. I don’t use it, but it’s not that bad.
I just read about a Google+ attack which allows access to a person’s private cellphone photos backed up in Google’s cloud. Similar to Apple’s iCloud hack.
“According to the researcher, a SOME attack on Google+ is similar to the recent iCloud data breach in which the private photographs of several celebrities were leaked online. In an attack scenario described by Hayak during his Black Hat presentation, the victim takes some photographs with his/her mobile phone, and the files are automatically backed up via Google’s “Auto Backup” feature to a private location on Google+. The cybercriminal can use SOME to select all the photos from the target’s Google+ account and send them to his own server simply by getting the victim to click on a link.”
http://www.securityweek.com/black-hat-europe-hijacking-clicks-same-origin-method-execution
I’m scared to death about enabling javascript. Techdirt doesn’t require javascript, not even to post comments. I love this site. 🙂
Re: Re:
This is why I don’t auto-anything to a cloud service.
If I upload something to a cloud storage locker, it is explicitly and knowingly done every single time.
I try to avoid online cloud backup/storage as much as possible.
If I need synchronisation/file sharing services, if its some random file I don’t care about sure I’ll use dropbox or whatever to share it out. If it’s something I care about, I have a USB hard-drive attached to my router that I have secured (as far as is practical) that I can access from anywhere I can get a HTTPS connection.
"IE" == "Internet Exploder"
Line your stroll down the Information SuperHighway with Improvised Exploding Devices (IEDs)!
With a Linux/*BSD install disk, you won’t even need IE to install a decent browser.
Not everyone who uses IE is a dummt
Before everyone gets all high and mighty about how only dummies use IE, consider this: there are hundreds of thousands (or maybe millions) of people who work in a corporate environment. Their computers are probably locked down so they can’t install their own software or they may need approval from their IT department. They physically can’t switch to Firefox or Chrome.
Granted, they shouldn’t be looking at YouTube during work hours anyway, but what if a big ad-network is compromised and people’s work-related sites are affected? For example, suppose a programmer needs an answer on StackExchange and their ad-network is serving malware. Is the person still a “dummy” for using IE?
How about putting the blame where it belongs: the ad company for allowing malware, the site for not knowing what the ad company is doing, and Microsoft for allowing IE to run malware in the first place. Or better yet, let’s blame AdBlock for not making their software available for IE. 😉
Re: Not everyone who uses IE is a dummt
“Is the person still a “dummy” for using IE?”
No, the company is for requiring it.