430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

Click-fraud malware drives millions of views to YouTube videos

Scammers are earning advertising revenue by spreading click-fraud malware Tubrosa, which sends compromised computers to their YouTube videos. A new Click-fraud malware campaign aimed at earning money by using the victim’s machine to view YouTube videos and benefits from ads embedded in them. The malicious campaign, discovered by experts at Symantec, has targeted users around the world […]

Click-fraud malware drives millions of views to YouTube videos

Scammers are earning advertising revenue by spreading click-fraud malware Tubrosa, which sends compromised computers to their YouTube videos.

A new Click-fraud malware campaign aimed at earning money by using the victim’s machine to view YouTube videos and benefits from ads embedded in them.
The malicious campaign, discovered by experts at Symantec, has targeted users around the world for months by serving a malware dubbed Tubrosa. The click-fraud threat Trojan Tubrosa is composed by two modules, one that is delivered via spear-phishing emails and a second one that is downloaded and run by the first component.
“A few weeks ago, we noticed a two-component click-fraud malware (detected as Trojan.Tubrosa) taking advantage of the YouTube Partner Program. The attackers compromise victims’ computers with the malware and use them to artificially inflate their YouTube video views. This allows the scammers to take advantage of the YouTube Partner Program validation process and monetize their fraudulent activity.” states a blog post published by Symantec.
The Tubrosa Click-fraud malware receives a list of nearly a thousand YouTube links from the C&C server and opens them in the background of the infected machine. The malicious code uses some tricks to avoid arousing suspicion, in fact, it turns down the volume of the speakers while it opens the video in the background, even if there isn’t installed the Adobe Flash player the infected machine, the malware downloads it and installs it to allow viewing of the videos.
Click-fraud malware campaign tubrosa

Symantec experts estimated that the scammers have so far earned several thousand dollars via this particular campaign. It’s impossible to know, but it’s likely they are running other similar ones at the same time.

A possible indicator of infection is a significant performance degradation of the victim’s machine.
“The YouTube Partner Program uses a validation process in order to verify that the user’s account is in good standing. In order to bypass Google security checks, the malware dynamically changes the referrer (REFS.txt) and the useragent (UA.txt) using two PHP scripts. This allows the malware to pretend to be a new connection to Google servers, appearing like a different user is connecting to the same videos,” reports Symantec.
According to Symantec, the scammers started distributing the malware in August 2014, and the campaign is still ongoing. The Tubrosa Click-fraud malware mainly infected systems in South Korea, India and Mexico and US.
Tubrosa Click-fraud malware
Symantec researchers estimated that the scammers have so far earned several thousand dollars via this Click-fraud malware campaign and they haven’t excluded that bad actors are running other similar ones campaigns.

To prevent computers from being compromised with click-fraud malware such as Trojan.Tubrosa, Symantec suggested the respect of the following best practices:

  • Exercise caution when receiving unsolicited, unexpected, or suspicious emails
  • Avoid clicking on links in unsolicited, unexpected, or suspicious emails
  • Avoid opening attachments in unsolicited, unexpected, or suspicious emails
  • Use comprehensive security software

Pierluigi Paganini

(Security Affairs – Click-fraud malware, YouTube)