Malicious ads run next to popular YouTube videos, laced with the Sweet Orange exploit kit

Graham Cluley
Graham Cluley
@[email protected]

If you want to watch a video, you go to YouTube. It’s as simple as that.

Although other sites exist which host videos, Google-owned YouTube is the goliath in the market – and gets the overwhelming bulk of the net’s video-watching traffic.

And, of course, that enormous success and high traffic brings with it unwanted attention – from online criminals who are trying to find effective ways of infecting the computers of internet users.

Researchers at Trend Micro have discovered a criminal campaign exploiting the YouTube platform, where some of the site’s most popular videos have had malicious adverts displayed alongside them.

Sign up to our free newsletter.
Security news, advice, and tips.

“This was a worrying development: Not only were malicious ads showing up on YouTube, they were on videos with more than 11 million views—in particular, a music video uploaded by a high-profile record label.”

Trend Micro researcher Joseph Chen discovered that ads displayed on the site were directing users to malicious sites, hosting the Sweet Orange exploit kit – which is known to test visiting computers to see if they are susceptible to four vulnerabilities affecting Adobe Flash, Internet Explorer or Java:

According to the researcher, if an attack is successful the Sweet Orange exploit kit serves up ransomware onto the victim’s computer, extorting money with menaces.

Now, if you take a closer look at the CVE numbers assigned to the vulnerabilities exploited by Sweet Orange, you can tell that some of these flaws date back some time – and this underlines the importance of keeping your computer systems updated with the latest patches.

But don’t be fooled that the age of some of the vulnerabilities prevents an attack like this from being successful.

According to the report, the worst hit country from the YouTube ad attack was the United States, which had more than 113,000 victims in just 30 days.

Country pie chart

It’s obvious that many people continue to do a lax job when it comes to patching.

What is also clear is that although the major ad networks work hard to keep bad guys out, criminals continue to use them as an attack vector.

In January, Google described how it removed more than 350 million “bad ads” that “abuse online advertising tools for harmful or deceptive purpose” during 2013 – a rise from the approximately 220 million ads it had zapped the year before.

My advice would be that you shouldn’t trust the ad networks to do a good job when it comes to policing the content they are pushing out to your computer in the form of online ads. Make sure that you have effective patching systems in place, and are controlling what apps are running on your organisations’ desktops rather than letting users choose what browser they want, or whether they can have Java installed in their browser or not.

Furthermore, consider having tighter reins on the active content plugins running inside browsers, by enabling features like “Click to Play”.

This article originally appeared on the Optimal Security blog.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.