Note: Google contacted me shortly after the blog was published, and claimed there were only 77 such links. But when I tried a query for the first domain in the list, naghoospress.ir, I got more than 600 Google results for just this domain: site:naghoospress.ir hot video. Attackers create fake Youtube pages for each 20 Google Hot Trend each day on each domain. I've seen pages for trends of the last 60 days at least, so that's about 1,000-1,200 pages per domain. There seemed to be at least 100 domains indexed by Google, so a very low estimate is 100,000 Hot Video pages in Google search results. But each Google queries show different domains, so there could be more fake pages. Google displays a maximum number of 1,000 results for any search, only they know the real numbers. But it was clearly at least 100,000 when the post was published.
We've seen many fake YouTube pages redirecting to fake antivirus software downloads in the past. However, we're now seeing this same phenomenon with a new twist: Google has indexed nearly 3 million "Hot Video" pages - all pushing fake AV. Yandex, a Russian search engine, also returns numerous links to these pages for random searches. Try the following Google search: inurl:"page.php?page=" "hot video" :
|Google search for Hot Video|
|Fake Youtube page|
The spam content, which is used to ensure that the page is indexed by search engines, includes an invisible DIV element pushed out of the screen. It contains links to other fake Youtube pages on the same site. To make the content look more legitimate, the page includes links to legitimate sites (e.g. flickr.com, nasa.gov, etc.) and images from external sites.
|HTML code of the spam|
Redirection to Fake AV
The fake YouTube page redirects to a fake AV page. Several domains are used to host the fake AV software, including www2.soft-analysis79.co.cc, www1.selfprotection20.co.cc, etc. There are different variations of the Fake AV page, but they are all similar to pages previously seen elsewhere.
|Fake AV page|
Besides the huge numbers of such malicious pages indexed, and the fact that they show up in many search results, the main problem here is that the pages and their malicious payloads are virtually undetected by regular security tools:
- Google Safe Browsing does not block most of these pages (90% I've tried where not blocked in Firefox), and the fake AV domains were not detected either.
- The detection rate amongst anitivrus vendors is only 11%!