YouTube download plug-ins hijack browsers to deliver malware-laced adverts

Two video plug-ins for YouTube hijack users visits to the site and insert extra adverts – some of which are being hijacked by “malvertisers”, sending users to fake adverts which attempt to infect their PCs.

Spider.io, a London analytics company which works in advertising fraud, say that two plug-ins, Easy YouTube Video Downloader and Best Video Downloader, supplied as part of a bundle of browser tools, deliver unwanted adverts whenever users visits the YouTube homepage.

“When a user who has installed these plugins visits youtube.com multiple display ad slots are injected across the YouTube homepage, channel pages, video pages and search results pages,” Spider.io writes. Some of these advert slots are being bought by major advertisers including “Domino’s, Ford, Kellogg’s, Norton, Toyota, Sprint, Walgreens and Western Union.”

Others are being bought by less reputable companies, and deliver “malware-laden” advertisements to users, Spider.io warns.

“The display ad slots injected by Sambreel are also being bought today by malvertisers—advertisers who provide malicious or malware-laden advertisements with a view to spreading malware to new users,” the company writes. “The first screenshot shows a fake alert, which suggests to the user that a Java update is required. If the user clicks the OK button, then the user is taken to the disreputable site shown in the second screenshot.”

A Google spokesperson, speaking to London’s Financial Times, said that the plug-ins violated YouTube’s Terms of Service, ““Applications that change users’ experiences in unexpected ways and provide no value to publishers are bad for users and bad for the web. We’re continuing to look into these types of bad actors and have banned them from using Google’s monetisation and marketing tools.”
Spider.io and the FT point out that Sambreel, the company behind the plug-ins, has already been blocked by Facebook for injecting adverts via adware browser plug-ins. The new tools were marketed by two companies, Yontoo and Alactro, which Spider.io says are subsidiaries of Sambreel.

Yontoo’s web page now says, “This product has been discontinued.”

An earlier blog post by ESET Security Evangelist Stephen Cobb described the impact of Yontoo on Mac OS X machines, “If you fall for it, a wealth of unwanted ads and redirections will likely follow, injected into pages on otherwise innocent sites. There are also reports of infection via phoney media players. The point is, criminals are using this plug-in to cheat online advertisers out of money by redirecting victims to sites that pay for traffic or clicks.”
“On December 9, 2011, the Wall Street Journal called Sambreel out for illegitimately injecting ads into Facebook and Google webpages via adware browser plugins like PageRage and BuzzDock,” Spider.io writes. “Facebook subsequently blocked its users from using Sambreel’s adware browser plugins whilst accessing Facebook webpages. With Sambreel’s adware publicly exposed, major sell-side platforms and ad exchanges like PubMatic, Rubicon Project, and OpenX dropped Sambreel as a supplier of display ad inventory in 2012.”