RealTime IT News

YouTube's Not-so-'Friendly' Spam

YouTube's viral nature is coming back to bite the company and Internet users, as spammers are using YouTube's "Invite Your Friends" option to blast out their junk e-mail.

The TRACE team of U.K. e-mail and Internet content security provider Marshal issued a warning last week that spammers were using the "Invite Your Friends" system to send out large quantities of spam. The messages came from service@youtube.com.

The messages look like a legitimate YouTube invite, except they include typical spam content like stock pump-and-dump promotions and links to spam Web sites. Many of them use Microsoft's recent XBox 360 hit "Halo 3" as bait, telling the recipient they have won a free copy of the game and to go to a Web site. If they take the bait and click on "winhalo3.com," the Web site infects them with the Storm worm, which has been hanging around since August.

Security firm Sophos at the time reported cybercriminals were sending out junk mail posing as links to a YouTube video, but were really designed to infect the recipient's PC with a variant of the Storm worm if they were gullible enough to click on the link.

"Spammers are doing this to defeat spam filters and to lower the recipients' guard by making it look as though the messages are coming from a perfectly innocuous e-mail address," said Bradley Anstis, director of product management for Marshal, in a warning from the company. "YouTube's own help center suggests that you exclude the service@youtube.com e-mail address from spam filtering. The spammers are keenly aware of this."

There have been warnings about these alerts since last year, although back then, the spam was only within the YouTube network. Other users were being hit with countless spams in their YouTube mailbox. Now the spam is escaping the site and headed to your mailbox.

"Security is a top concern at YouTube. If we find a party is using our brand or site for the purpose of spamming, we will take action to investigate and prevent this," YouTube said in an e-mail statement to InternetNews.com.

The researchers who follow malware aren't surprised by this technique. "They are using techniques such as social engineering to get their messages through," Natalie Lambert, senior analyst with Forrester Research," told InternetNews.com.

"This is nothing new, as social engineering attacks have been around for years. YouTube may be the latest target, but they are by no means the last. It is because of this that companies need to make sure that they have sufficient spam and e-mail security solutions in place."

Peter Firstbrook of Gartner added "Spammers are focusing on all Web-connected servers, infecting them with bots and other malware, then they use spam to direct users to these servers. All organizations must do extensive vulnerability testing on Internet connected servers or attackers will do it for you."

Part of the problem, though, rests with Google/YouTube. Neither Google Video nor YouTube use the captcha  technology used by Craigslist, Digg and other user content-driven sites to defeat automated spammers and other bots. While captcha use has been popular at these other sites, Google has been slow to adopt it. As Firstbrook noted, spammers seem to have found this vulnerability in YouTube.