"The vulnerability is not in YouTube as such, but the ad network seems to be the culprit in this case," Bromium's McEnroe Navaraj wrote in a blog post describing the threat.
The ad network in question, according to Navaraj, was found to be hosting the Styx exploit kit, which leveraged a Java exploit to deliver the Caphaw banking Trojan.
"The attack that we saw was overall a repackaged attack, nothing utterly complex and hence we’re baffled as to how it ended up into YouTube’s ads," Navaraj wrote. "Watering hole attacks are clearly getting popular by attackers. Recently, Yahoo mail users were attacked using similar vectors. Several high profile websites have become victims of such attacks recently. From the attacker's point of view, this is the easiest way to cause maximum damage -- max ROI."
What's more, this one presented an unusually potent threat to site visitors. "It is important to note that the user did not need to click on any ads on YouTube, the infection happens just by viewing the YouTube videos," Navaraj added.
In a followup post, Navaraj reported that Google said a rogue advertiser was behind the attack, and that Google is "beefing up internal procedures to prevent such events from occurring again."
"We don’t yet know the exact bypass which the attackers used to evade Google’s internal advertisement security checks," Navaraj added. "Google has informed us that they’re conducting a full investigation of this abuse and will take appropriate measures."
Photo courtesy of Shutterstock.