Free YouTube .mp3 converters – with a free malware bonus

Want to access the music tracks of YouTube.com videos on your iPod but don’t want to pay? You’re not alone. Recently, a crop of websites have popped up offering to convert the audio from videos to .mp3 files that you can then download at no charge. Sounds great, right? The catch: scammers are trying to capture the popular click traffic and redirect users to scam websites, where you might get more than you bargained for, in the form of free malware and other unpleasantness as a bonus.

Recently, we hosted a “cyber boot camp”, teaching high school students to attack and defend networks. One of our presenters, John Moffat, who often delivers security awareness seminars to teenagers and stresses the dangers of the “free” internet, referenced this scam in his presentation. While Mr. Moffat doesn’t claim to be a malware expert, he knows a scam when he sees one, and does his best to help others avoid falling prey.

So what happens if you fall for one of these types of scams? Below we follow the trail of one example, with screenshots of what you might see.

In this example, I clicked on a highly ranked Google search results link, which pointed to a YouTube video itself, purporting to give instructions on how to convert their videos to .mp3’s. When I did, it showed a non-video screenshot inside their video player, which directed me to visit a website directly. The video description came completely stuffed with keywords in the description to inflate rankings. Here’s a screenshot of what I was presented with:

When I typed the URL into a browser that the “video” recommended, I was taken to a site heavily laden with javascript (which my browser blocked with a plugin), third party content providers and Google Analytics, that said I had to complete a survey to get my “$500 Best Buy gift card”, which would also unlock the download of the free video-to-mp3 converter. Since I’d like a $500 gift card as much as the next guy, I clicked on that link.

and then a screen that showed the locked download file, which I would then have to unlock

I chose the Best Buy gift card offer. When I clicked on it, it took me to a page that shows that I could get a $1,000 gift card, even better!

I also noticed that the page wanted to use extensive javascript and third party content, triggering an ESET Smart Security warning that a website was blocked which was trying to send me tracking cookies. I also notice the site used significant bandwidth trying to load all its goodies, presumably to enable the successful completion of my 3 questions to get the $1,000 gift card right? But surprise, after I completed the last question, I then had to enter my email, presumably to get the gift card. When I entered a fake email, I was then taken to a screen where I had to enter much more personal information, including my physical address, age, sex, and phone number. I also had to consent to being called by third parties about magazine subscriptions, etc:

Once you click ‘continue’ you get the next screen:

At this point, I notice that the original password that was promised to unlock my video converter download never materialized. It seemed clear that this rabbit trail I was following would not likely end any time soon, so I exited the websites, and finished up this article, hoping this accounting of what happens if you take the bait would dissuade others from falling for similar scams.

What’s the payoff for scammers? For some time now they have continually adapted their scam platforms to match new potential streams of traffic, and this is no exception. By gaining high search rankings through BlackHat SEO (BHSEO), every time a user clicks, their search popularity rankings, and associated ad revenue, goes up. Even if the user doesn’t fall for installing a “free premium .mp3 player” (laden with malware) or some such because they’re the “lucky one thousandthviewer” of the website, the scam website still makes money by cashing in on the traffic.

And many users might be convinced to download a premium, java-based player, with free malware as a bonus.

But to recount, this scam (so far) has attempted to send things that were blocked by ESET Smart Security, wanted to silently run questionable javascript on multiple pages, harvest my email address, along with physical address, age, sex, phone number, and get me to signify that I was over 18 years of age, and consent to the whole process. That doesn’t sound very close to free, it sounds like the beginning of a long string of nastiness. At that point, I went to my favorite reputable .mp3 vendor and purchased a great blues track from yesteryear for 99 cents, and decided to forego the personal information harvest “for free.”

Cameron Camp
Security Researcher

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 65 other followers

%d bloggers like this: