October 9, 2008

Hackers Dupe Victims With Phony YouTube Sites

A tricky new cyber-attack is underway in which criminals have created fake YouTube pages to push their malicious software onto the computers of unsuspecting users.

Savvy Internet users have long known that downloading unsolicited programs is one of the most risky things a Web surfer can do.  Hackers often use these programs to install viruses or other time bombs onto a person's computer.  

However, the phony YouTube pages look so much like the real ones that even sophisticated Internet users might fall victim to attack, mistakenly believing they are downloading software from a trusted source.

A new program is now circulating on the Web that helps cyber criminals construct the fake pages. Victims who follow an e-mail link to one of the phony pages would then see an error message saying the video they want to view won't play without first installing new software. The error message contains a link to a malicious program, which then delivers a virus.

To make matters worse, once the computer is infected, the hacker can simply and silently redirect victims to the real YouTube video they originally wanted to see. 

"It's spot-on accurate, and that is scary," Jamz Yaneza, threat research manager for Trend Micro Inc., told the Associated Press.

"If I were watching YouTube videos all day I would probably click on this one."

The tactic of spoofing legitimate Web sites isn't new, and criminals have long sought ways to build more convincing use the tactic to trick people into downloading malicious software.  And while the latest ploy does not target any vulnerability in the YouTube site, it demonstrates that criminals are getting better at creating phony sites and perfecting the "social engineering" methods to fool potential victims.

Fortunately, alert Web surfers can still observe the telltale warning signs with the bogus YouTube pages.   For instance, the Web browser won't display the real YouTube's Internet address.  And to get to the malicious page, a user must first follow an email link, which is typically a sign to independently verify the site's legitimacy.


On the Net: