Online video services have offered new ways for people to bring their content to a wider audience and make money from it. Many content creators have managed to make full time jobs out of releasing YouTube videos thanks to the YouTube Partner Program, which lets people monetize their uploaded videos through advertisements. Gaming channels have particularly experienced success on YouTube. For example, PewDiePie’s gaming channel is the most popular on YouTube, and his videos have been watched more than 4.1 billion times in 2014. The 25-year-old content creator is believed to make an estimated £10 million (US$15.13 million) each year through his gaming videos.
Cybercriminals appear to have taken notice of this emerging industry and have begun to exploit it for their own gain. A few weeks ago, we noticed a two-component click-fraud malware (detected as Trojan.Tubrosa) taking advantage of the YouTube Partner Program. The attackers compromise victims’ computers with the malware and use them to artificially inflate their YouTube video views. This allows the scammers to take advantage of the YouTube Partner Program validation process and monetize their fraudulent activity.
How the scam works
Figure 1. A step-by-step guide of how the Tubrosa YouTube scam works
The scammers have been spreading the malware through spam emails. If the user opens the email’s attachment or clicks on the included link, then a malicious file will be downloaded to their computer. This file downloads the second stage of the threat, which drops a text file containing a list of almost a thousand YouTube links to the scammers’ gaming videos. We analyzed three of the YouTube channels included in this document and found that their content appeared to be copies of previously uploaded videos from other YouTube users.
The malware then opens these links in the background on the compromised computer without the user’s consent. In order to keep its malicious activities secret, the malware will lower the volume of the compromised computer’s speakers to zero. The malware will even update or install Flash on the user’s computer to allow it to view these videos. The user may not realize that anything is amiss until their computer’s resources are fully used up and they experience significant performance degradation.
The YouTube Partner Program uses a validation process in order to verify that the user’s account is in good standing. In order to bypass Google's security checks, the malware dynamically changes the referrer (REFS.txt) and the useragent (UA.txt) using two PHP scripts. This allows the malware to trick Google's servers into thinking a new connection, or user, is viewing the videos each time.
Every YouTube video view increases the rank of the content. Google believes that advertisements embedded in popular videos will receive a larger audience and will be more lucrative. As a result, more views for a YouTube video mean more revenue for the video’s creator, potentially allowing the scammers to earn a lot of money by forcing compromised computers to view their content.
The YouTube videos listed in the scammers’ text file had reached more than two million views by the end of 2014. We cannot determine exactly how much money the scammers have earned from this campaign, as the YouTube Partner Program revenue depends on many variables such as ads shown. However, we estimate that this activity alone generated several thousand dollars for the cybercriminals. We are also aware of similar operations that are no longer in operation since the command-and-control servers are offline.
The malware was first distributed in August 2014, just after all of the scammers’ videos were uploaded at once. At the time of writing, we have observed a number of websites hosting the configuration files for this threat. However, many other YouTube click-fraud websites and malicious files could exist and could be used by the same criminals. There is no evidence to suggest that this malware is sold on underground cybercrime forums, so the threat may only be used by this particular group. According to our telemetry, more than half of the computers compromised with Trojan.Tubrosa are based in South Korea, India, and Mexico.
Figure 2. Tubrosa infections by region
Symantec and Norton products detect the malware distributed in this campaign as Trojan.Tubrosa.
The website sourcing the files used in this operation has been marked as malicious by Norton Safe Web.
When contacted, Google's Ads Quality team said that it is aware of this malware and that Google's quality systems are protecting advertisers against this spam.
If you want to prevent your computer from being compromised with click-fraud malware such as Trojan.Tubrosa, then you should adhere to the following best practices:
- Exercise caution when receiving unsolicited, unexpected, or suspicious emails
- Avoid clicking on links in unsolicited, unexpected, or suspicious emails
- Avoid opening attachments in unsolicited, unexpected, or suspicious emails
- Use comprehensive security software, such as Norton Security, to protect yourself from malware