A malware delivery campaign aimed at making victims’ computers surreptitiously view YouTube videos and, consequently, artificially inflate their popularity so that scammers might earn money from the ads embedded in them, has been targeting users around the world for months now.
The malware that makes it possible is dubbed Tubrosa. It consists of two components: one that is delivered via spear-phishing spam emails and is installed by careless users, and the other that is downloaded and run by the first component.
The malware gets a list of nearly a thousand YouTube links from its C&C server, and it begins to open them in the background of the infected computer. In order to keep its activity as secret as possible from the user, the malware turns down the volume of the speakers. If the user does not use Adobe Flash, the malware will download it and install it so that the videos can be viewed.
“The YouTube Partner Program uses a validation process in order to verify that the user’s account is in good standing. In order to bypass Google security checks, the malware dynamically changes the referrer (REFS.txt) and the useragent (UA.txt) using two PHP scripts. This allows the malware to pretend to be a new connection to Google servers, appearing like a different user is connecting to the same videos,” Symantec researchers have discovered.
The scammers started distributing the malware in August 2014, and the campaign continues to this day. South Korean, Indian and Mexican users were the most targeted so far.
While Google says that its systems are protecting advertisers against this scam, Internet users are not so lucky. They must rely on an security solution to spot the malware, and if it fails to do so, their computers’s performance will suffer.
Other victims of this scam are the authors of the gaming videos the scammers have copied and are using, as they should be the ones to profit from the ads embedded in them.
Symantec researchers estimated that the scammers have so far earned several thousand dollars via this particular campaign. It’s impossible to know, but it’s likely they are running other similar ones at the same time.