Home / mailings WSLabs, Malicious Website / Malicious Code: Rock Phish Using YouTube
Posted on 14 November 2007
Websense Security LabWebsense Security Labs ThreatSeeker has received reports of new malicious code that utilizes the YouTube brand to lure users into running the code.
The attack begins with an email lure written in html that invites users to view a video from YouTube. Upon connecting to the site, users are directed to a page that resembles the real YouTube site. The page then reports that the video cannot load and attempts to dupe users into downloading and installing a flash player.
In what could be a disturbing sign of things to come, the site is hosted on a server that has hosted more than one hundred Phishing sites over the last 4 months. This server is managed by the infamous "Rock Phish" group, which is the largest phishing gang on the Internet and which is responsible for the majority of Phishing URL's.
Additionally concerning is the potential for Rock Phish to add malicious code to its attack arsenal in conjunction with standard Web forms on bogus sites.
The file is called "install_flash_player.exe," is 1.2 Mb in size, and has an MD5 of "fb38066c348aaf5bf0d6513a2e635490."
The Web site URL (with part of the address stripped out for protection) is: "www5.youtube.com.site670221.X.X/watch/v/install_flash_player.exe"
Screenshots in full alert.
For additional details and information on how to detect and prevent this type of attack:
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=818
