Wednesday, November 28, 2007 10:55 AM
cmosby
Symantec Security Response Weblog: Fake YouTube URLs Downloading Suspicious Executable
Fake YouTube URLs Downloading Suspicious Executable
Malicious code writers have always used popular Web brand names to spread malicious code through spam vectors and these days the YouTube brand name is popping up more and more. However, the spoofed URL in this latest scam redirects visitors to dynamic domain names with seemingly unusual top level domains (TLDs), such as .li, .ch, and .es. Last month, spammers used the YouTube brand name in an attempt to spread spam regarding male enhancement pills and get-rich-quick schemes.
The email looks harmless enough, because the “From” header is spoofed to appear as if it's coming from "YouTube Service" , which helps it to look like a legitimate invitation. The video's description is enticing and seems innocuous, inviting potential victims to open a shared video file, which is a fake YouTube link. Here is a sample of one of these scam emails:
From: "YouTube Service" service@youtube.com
To: [REMOVED]
Bcc: [REMOVED]
Subject: Your friend sent you a video!
Date: Thu, 15 Nov 2007 08:58:31 +1000
Note: The domains that are used to impersonate the YouTube Web site are giower.li, fineir.ch, and be4koy.com.es. These TLDs are not the usual .com or .net domains. The links will force the download of a malicious executable “install_flash_player.exe,” which in fact is a threat already detected by Symantec.
There were a number of spoofed URLs included in the spam emails during the campaign. Fortunately the Web sites associated with the URLs have since been taken down. Below are a few examples of the spoofed URLs:
(Click for larger image)
Posted by Jitender Sarda on November 28, 2007 05:00 AM
Source: Symantec Security Response Weblog: Fake YouTube URLs Downloading Suspicious Executable
Filed under: Security and Anti-Virus, Internet Hacks, Spam\Phishing