Scammers are earning advertising revenue by spreading click-fraud malware Tubrosa, which sends compromised computers to their YouTube videos.
A new Click-fraud malware campaign aimed at earning money by using the victim’s machine to view YouTube videos and benefits from ads embedded in them.
The malicious campaign, discovered by experts at Symantec, has targeted users around the world for months by serving a malware dubbed Tubrosa. The click-fraud threat Trojan Tubrosa is composed by two modules, one that is delivered via
spear-phishing emails and a second one that is downloaded and run by the first component.
“A few weeks ago, we noticed a two-component click-fraud malware (detected as Trojan.Tubrosa) taking advantage of the YouTube Partner Program. The attackers compromise victims’ computers with the malware and use them to artificially inflate their YouTube video views. This allows the scammers to take advantage of the YouTube Partner Program validation process and monetize their fraudulent activity.” states a blog post published by Symantec.
The Tubrosa Click-fraud malware receives a list of nearly a thousand YouTube links from the C&C server and opens them in the background of the infected machine. The malicious code uses some tricks to avoid arousing suspicion, in fact, it turns down the volume of the speakers while it opens the video in the background, even if there isn’t installed the Adobe Flash player the infected machine, the malware downloads it and installs it to allow viewing of the videos.
Symantec experts estimated that the scammers have so far earned several thousand dollars via this particular campaign. It’s impossible to know, but it’s likely they are running other similar ones at the same time.
A possible indicator of infection is a significant performance degradation of the victim’s machine.
“The YouTube Partner Program uses a validation process in order to verify that the user’s account is in good standing. In order to bypass Google security checks, the malware dynamically changes the referrer (REFS.txt) and the useragent (UA.txt) using two PHP scripts. This allows the malware to pretend to be a new connection to Google servers, appearing like a different user is connecting to the same videos,” reports Symantec.
According to Symantec, the scammers started distributing the malware in August 2014, and the campaign is still ongoing. The Tubrosa Click-fraud malware mainly infected systems in South Korea, India and Mexico and US.
Symantec researchers estimated that the scammers have so far earned several thousand dollars via this Click-fraud malware campaign and they haven’t excluded that bad actors are running other similar ones campaigns.
To prevent computers from being compromised with click-fraud malware such as Trojan.Tubrosa, Symantec suggested the respect of the following best practices:
- Exercise caution when receiving unsolicited, unexpected, or suspicious emails
- Avoid clicking on links in unsolicited, unexpected, or suspicious emails
- Avoid opening attachments in unsolicited, unexpected, or suspicious emails
- Use comprehensive security software
Pierluigi Paganini
(Security Affairs – Click-fraud malware, YouTube)
Pierluigi Paganini Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.
