This is not a prank! I Just stumbled across this when videos by the YouTube user Kaleigh421112Trang suddenly showed up in my subscriptions (based on Keywords) for my CirqueDuSoleilGuru account.
I made the URLs that are not hyperlinked this way on purpose, to prevent any accidental harm to the readers. You can copy and paste the URLs into your browsers address bar, if you know what you are doing at your own risk. Don’t say that I did not warn you!
The user account in question was just created on 12/13/2009
By now this user has already 190 virtually identical videos uploaded that don't show much, except a message that the video cannot be watched on YouTube due to length limitation. See description for link to full video. etc. Here is a screen shot of it.
E.g. Circus Circus Part 1/13 Online*: http://www.youtube.com/watch?v=l5kYgqUX0rE
*This video was actually already taken down by YouTube, maybe because I flagged it as Spam from an established YouTube account with almost 2000 subscribers. But most of the other videos are still up as I am writing this. For example this one http://www.youtube.com/watch?v=hJj-PkdLqac (which I also reported so it is probably being removed shortly as well)
The videos that are still up all include a short description and a obscured link with tracking code embed via the redirection service TinyURL.com. In the example video that I mentioned before and reported to YouTube already the URL was: http://tinyurl.com/ycksuwy&499420166
Here Comes The Scammy Part
That URL redirects to: http://www.onlinemoviedb.info/watch.php?vid=Dreaming_in_Circus
The page states that a plug-in must be downloaded to watch the video. It includes multiple links where you are supposed to download the needed plug-in from, such as this one (Warning! Do not Download and Execute)!
http://preview.licenseacquisition.org/48/1056428137.51143/vlc-1.0.1-win32.exe
The referred to EXE “vlcsetup.exe” is 328,984 bytes in size. The file name is implying that the plug-in is related to the freeware VideoLan Video Player, what it is not.
I downloaded the executable without starting it. I then scanned it with McAfee Viruscan, which did not detect anything yet. So I uploaded it to VirusTotal.com, an online on-demand virus and malware scanner, which scans files using over 50 different scanners such as McAfee, F-Secure, Bitdefender, Kaspersky, Panda, PC-Tools, Sophos, TrendMicro and others.
I wasn’t the first one who checked the file obviously, because a report was already available*, which gives it a 37% probability that it is infected. It is probably new and I bet the probability will increase as I write this (as do the uploads of virtually identical videos with the same purpose to YouTube).
Here is the link to the report from VirusTotal.com.
* VirusTotal.com knows that it is the same file as somebody else already submit based on the file size and file name, because that could be faked easily. It uses so called checksums that are generated from the entire content of the file. The Checksums for this file are for example: MD5 : bead2d46d08ff080ac4a6d0908922230 |
More Hints and Scale of the Problem
Here are more accounts on YouTube. Just to name a few (Each with hundreds of videos each):
http://www.youtube.com/user/Moon230377Arletta
http://www.youtube.com/user/Dirk891479Pasty
http://www.youtube.com/user/Kathy664276Dominica
There are most certainly a lot more, but they should be easily be detected. Look for new users that have hundred+ videos of 9:58 minutes length and a TinyURL.com link in the video description.
All of those Users always have video listing disabled (does not show anything on the user’s home page)
The target website itself lists tons of copyrighted movies on its homepage.
Also suspicious, the detail page of every movie has the same comments to give the impression that people watched the movie etc.
Here are the fake comments
Looploop
3rd link worked perfectly and fast mirror. I liked it. Thanks for the upload!Hotjamz
Yep that was a good one 5/5Monstersb
didn't think it was all that,but it was good.7/10.great qualit thoDazedNConfused
How do I watch this video?DazedNConfused
Never mind. I just downloaded the plugin and the video worked flawlessly!
This Is Just The Beginning
The uploads are done on a large scale and with sophisticated scripts to dynamically create typical titles with matching descriptions in YouTube. YouTube also has a dupe checker that identical videos cannot be uploaded by the same account (at least used to be it that way). But changing a single byte is already enough to get around it. That’s probably all these guys did, because the videos appear to the human viewer identical. They also show all the same Thumbnail, which should raise suspicion by any user of YouTube with some working brain cells left (That is how I got suspicious). The hackers are obviously not sophisticated enough though, because they did not seem to have taken into account the problem with identical thumbnails that will appear in the box with “more videos by …” but also in the “related video box” where I got the other user names from. Because the videos are similar in some fashion, YouTube thinks that they are related.
It is very very hard to produce identical thumbnails for videos that are not identical. In the early days YouTube used frames that could be predicted in advance (and was used for manipulations by users). This isn’t possible today anymore.
I would not be surprised, if similar scams will pop-up in the future more and more, also on other smaller social networks and video sharing sites. Those scams will also get more and more sophisticated and users will be vulnerable until their Antivirus/Antispyware software will be updated to detect those new threats that will emerge and then disappear again quickly.
The only real protection is up to the user himself
NEVER download and install a plug-in where you don’t know and trust the source. Installing a malicious plug-in is like unlocking the door, disabling the alarm and then open it to invite the burglar in to have a look around and take whatever he likes. Almost all video sharing sites use FLASH for the video playback. The Flash plug-in should only be downloaded from the Adobe.com web site (and not from anywhere else).
http://www.adobe.com/go/getflashplayer
Some apps might use the Shockwave plug-in, also from Adobe, which can be downloaded and installed via
http://www.adobe.com/go/getshockwave
Although I have not seen used with online video yet, web applications might also use JAVA by SUN, which can also be downloaded absolutely free of charge (like the FLASH and SHOCKWAVE plug-ins) from the web site that was created by SUN just for this. The URL is: http://www.java.com/download
Be Careful, without getting paranoid. Use common sense and caution where appropriate. Unfortunately not everybody on the Internet has the safety and happiness of the users in mind.
Be Safe!
Cheers!
Carsten aka Roy/SAC
1 comment:
Randomly came across your site while I was googling to confirm my suspicion about those links -
Besides the more obvious fraud parts of the video (the repeated comments, etc), a poke at the site code reveals that no video is even attempted to be loaded (the querystring is just a dummy) and the form to submit comments doesn't even go anywhere.
Post a Comment
Hi, thanks for taking the time to comment at my blog.
Due to spam issues comments are not immediately posted on the site and require my manual approval first, before they become visible.
I try to approve comments as quickly as possible and usually within 24 hours.
To be notified about follow up comments that are made after yours, use the subscribe option with your email address and you will receive an email alert, if somebody else comments at this post in the future.
Also check out the rest of the website beyond this blog, visit RoySAC.com. Also see my YouTube channels, SACReleases for intros and demos.
Cheers!
Carsten aka Roy/SAC
Note: Only a member of this blog may post a comment.