I made the URLs that are not hyperlinked this way on purpose, to prevent any accidental harm to the readers. You can copy and paste the URLs into your browsers address bar, if you know what you are doing at your own risk. Don’t say that I did not warn you!
The user account in question was just created on 12/13/2009
By now this user has already 190 virtually identical videos uploaded that don’t show much, except a message that the video cannot be watched on YouTube due to length limitation. See description for link to full video. etc. Here is a screen shot of it.
E.g. Circus Circus Part 1/13 Online*: http://www.youtube.com/watch?v=l5kYgqUX0rE
*This video was actually already taken down by YouTube, maybe because I flagged it as Spam from an established YouTube account with almost 2000 subscribers. But most of the other videos are still up as I am writing this. For example this one http://www.youtube.com/watch?v=hJj-PkdLqac (which I also reported so it is probably being removed shortly as well)
The videos that are still up all include a short description and a obscured link with tracking code embed via the redirection service TinyURL.com. In the example video that I mentioned before and reported to YouTube already the URL was: http://tinyurl.com/ycksuwy&499420166
Here Comes The Scammy Part
That URL redirects to: http://www.onlinemoviedb.info/watch.php?vid=Dreaming_in_Circus
The page states that a plug-in must be downloaded to watch the video. It includes multiple links where you are supposed to download the needed plug-in from, such as this one (Warning! Do not Download and Execute)!
The referred to EXE “vlcsetup.exe” is 328,984 bytes in size. The file name is implying that the plug-in is related to the freeware VideoLan Video Player, what it is not.
I downloaded the executable without starting it. I then scanned it with McAfee Viruscan, which did not detect anything yet. So I uploaded it to VirusTotal.com, an online on-demand virus and malware scanner, which scans files using over 50 different scanners such as McAfee, F-Secure, Bitdefender, Kaspersky, Panda, PC-Tools, Sophos, TrendMicro and others.
I wasn’t the first one who checked the file obviously, because a report was already available*, which gives it a 37% probability that it is infected. It is probably new and I bet the probability will increase as I write this (as do the uploads of virtually identical videos with the same purpose to YouTube).
Here is the link to the report from VirusTotal.com.
|* VirusTotal.com knows that it is the same file as somebody else already submit based on the file size and file name, because that could be faked easily. It uses so called checksums that are generated from the entire content of the file. The Checksums for this file are for example:
MD5 : bead2d46d08ff080ac4a6d0908922230
More Hints and Scale of the Problem
Here are more accounts on YouTube. Just to name a few (Each with hundreds of videos each):
There are most certainly a lot more, but they should be easily be detected. Look for new users that have hundred+ videos of 9:58 minutes length and a TinyURL.com link in the video description.
All of those Users always have video listing disabled (does not show anything on the user’s home page)
The target website itself lists tons of copyrighted movies on its homepage.
Also suspicious, the detail page of every movie has the same comments to give the impression that people watched the movie etc.
Here are the fake comments
3rd link worked perfectly and fast mirror. I liked it. Thanks for the upload!
Yep that was a good one 5/5
didn’t think it was all that,but it was good.7/10.great qualit tho
How do I watch this video?
Never mind. I just downloaded the plugin and the video worked flawlessly!
This Is Just The Beginning
The uploads are done on a large scale and with sophisticated scripts to dynamically create typical titles with matching descriptions in YouTube. YouTube also has a dupe checker that identical videos cannot be uploaded by the same account (at least used to be it that way). But changing a single byte is already enough to get around it. That’s probably all these guys did, because the videos appear to the human viewer identical. They also show all the same Thumbnail, which should raise suspicion by any user of YouTube with some working brain cells left (That is how I got suspicious). The hackers are obviously not sophisticated enough though, because they did not seem to have taken into account the problem with identical thumbnails that will appear in the box with “more videos by …” but also in the “related video box” where I got the other user names from. Because the videos are similar in some fashion, YouTube thinks that they are related.
It is very very hard to produce identical thumbnails for videos that are not identical. In the early days YouTube used frames that could be predicted in advance (and was used for manipulations by users). This isn’t possible today anymore.
I would not be surprised, if similar scams will pop-up in the future more and more, also on other smaller social networks and video sharing sites. Those scams will also get more and more sophisticated and users will be vulnerable until their Antivirus/Antispyware software will be updated to detect those new threats that will emerge and then disappear again quickly.
The only real protection is up to the user himself
NEVER download and install a plug-in where you don’t know and trust the source. Installing a malicious plug-in is like unlocking the door, disabling the alarm and then open it to invite the burglar in to have a look around and take whatever he likes. Almost all video sharing sites use FLASH for the video playback. The Flash plug-in should only be downloaded from the Adobe.com web site (and not from anywhere else).
Some apps might use the Shockwave plug-in, also from Adobe, which can be downloaded and installed via
Although I have not seen used with online video yet, web applications might also use JAVA by SUN, which can also be downloaded absolutely free of charge (like the FLASH and SHOCKWAVE plug-ins) from the web site that was created by SUN just for this. The URL is: http://www.java.com/download
Be Careful, without getting paranoid. Use common sense and caution where appropriate. Unfortunately not everybody on the Internet has the safety and happiness of the users in mind.
Carsten aka Roy/SAC