More YouTube Impersonations target weak web servers
Using popular websites in well crafted social engineering tricks in order to distribute malware is nothing new. However, I found this example that goes one step further.
For starters, it uses the default YouTube template and embeds an iframe into it to the malicious file. Of course, both pages are hosted on a compromised website. The only way you can tell (omitting the obvious adult video) that this is not the classic YouTube is by checking the Address bar, at the top of the browser. Although, the web site may not seem malicious, it is definitely not YouTube’s.
The site in question is a B2B online solutions portal which has been attacked by a hacker and is now serving “fake” adult movies. You got to feel sorry for the company, but unless they get an email notification from someone who cares, this situation could go on for a long time. Or maybe one day they’ll find themselves on a blacklist and wonder why… Google’s Stopbadware will prevent people from clicking on sites within search results if they have been identified as dangerous.
To go back to this hack, we have a fake YouTube page with a picture of an adult movie. The movie does not play, it is on “Pause”. Yes, there will be enough people that will want to see more and will do as they’re told: “Download Now Full Video”. By the way, isn’t that bad grammar? Hmm…
Now, another surprise, instead of a movie file, you will get an executable. But again, at least half the people who got to click on the link will proceed anyways. The file is – to nobody’s surpise – infected with a Trojan. Very bad things will happen once it is executed. Hijacked desktops, scary warning messages sound familiar?
Now an other thing that surprised me was to see how cozy the hacker had made himself into this hacked website. Not only this legitimate site is hosting the nasty Trojan Horse, but also all the adult pictures to create the fake video. As I noticed by clicking the refresh button, there are many more (46) adult content photos. This is bad too, from a legal point of view. Imagine for a minute that the hacker had put child pornography, the consequences for that business could be very detrimental.
To minimize the footprint on the webserver, the hacker naturally placed the pictures under the typical /images/ directory where company logos and other corporate things are!
As you can see by the date, this hack happened less than a week ago. Web administrators need to be very thorough when it comes to securing web servers. Weak passwords and unpatched software is a sure way to get hacked.
Jerome Segura
Comments:
|
|
