VirusBulletin reported that cyber criminals now spread around Cryptolocker / CryptoWall via YouTube. The cyber criminals purchase advertising space and use exploit kits to infect workstations, malware researchers Vadim Kotov and Rahul Kashyap discovered.
They ran into this while checking YouTube and website banners for situations where malware writers had in fact bought space to spread their malware on unpatched computers. The researchers wrote: "We conclude that ad networks could be leveraged to aid, or even be substituted for current exploit kits."
YouTube Ad space turns out to be a cheap and efficient way to spread browser malware while using the powerful YouTube geo-targeting features. Unfortunately, this is a highly profitable criminal business model. The researchers stated there was very little advertising networks could do to prevent the attacks. Obviously YouTube (Google) is going to try hard but preventing this is not easy.
Now, spreading malware via ad-networks in itself is nothing new. We have seen this since 2010 where scareware was promoted as "Free Security Scans" remember? The free scan found a host of "problems" and sold you a rip-off bogus AV product.
What is new here is this: clicking on a thumbnail after the first video caused an exploit kit to kick in, finding a known unpatched vulnerability, and once found, executes ransomware code which locks all files and extorts $500. These exploit kits check for hundreds of known holes in no time, and this "ad-network" threat just escalated to a much higher level.
So, there are a few best-practice points to consider here. Patching end-user workstations as soon as possible gets higher importance. I would look at either blocking YouTube at the edge, and/or deploying more generic browser ad blocker plug-ins, consider an application whitelisting layer, and of course, you guessed it, educate your users!
It is necessary now more than ever to step your users through effective Kevin Mitnick Security Awareness Training. Click the button to find out how affordable this is for your organization.
Why security awareness training? Ransomware, that's why:
(This story was updated 8/23/2014 related to earlier scareware.)