Malicious code writers have always usedpopular Web brand names to spread malicious code through spam vectorsand these days the YouTube brand name is popping up more and more.However, the spoofed URL in this latest scam redirects visitors todynamic domain names with seemingly unusual top level domains (TLDs),such as .li, .ch, and .es. Last month, spammers used the YouTube brandname in an attempt to spread spam regarding male enhancement pills andget-rich-quick schemes.
The email looks harmless enough, because the “From” header is spoofed to appear as if it's coming from "YouTube Service" ,which helps it to look like a legitimate invitation. The video'sdescription is enticing and seems innocuous, inviting potential victimsto open a shared video file, which is a fake YouTube link. Here is asample of one of these scam emails:
From: "YouTube Service" firstname.lastname@example.org
Subject: Your friend sent you a video!
Date: Thu, 15 Nov 2007 08:58:31 +1000
Note: The domains that are used to impersonate theYouTube Web site are giower.li, fineir.ch, and be4koy.com.es. TheseTLDs are not the usual .com or .net domains. The links will force thedownload of a malicious executable “install_flash_player.exe,” which infact is a threat already detected by Symantec.
There were a number of spoofed URLs included in the spam emailsduring the campaign. Fortunately the Web sites associated with the URLshave since been taken down. Below are a few examples of the spoofedURLs: