A new hacking tool circulating in the Internet now allows malicious users to create fake YouTube pages designed to deliver malware.

The said tool, detected by Trend Micro as HKTL_FAKEYOUT, features a user-friendly console in Spanish that a hacker may use to create a pair of Web pages that look eerily identical to legitimate YouTube pages.


Figure 1. The tool even also allows hackers to fake video titles, descriptions, and comments.

With a little crafty social engineering, unsuspecting users may be led into the first of the fake pages, INDEX.HTML. Here, users may be disappointed to see that they cannot view their video as they need a new version of Adobe Flash Player or some plugin or codec. A link is handily provided, and clicking the link leads users to the hacker’s file of choice, which could very possibly be something malicious.


Figure 2. The index page displays an error message and asks users to download a plugin.

A second fake page informing users that the video they were trying to view cannot be shown is then displayed. This is to make users think that nothing’s really happened, when in fact by downloading the plugin, malware may already be running in their systems.

Fake codecs remain popular masks for malware. The popularity of YouTube also makes it a preferred target for malware users who want to infect more users (see our related blog posts here, here, and here).

HKTL_FAKEYOUT could be very dangerous because it is very accessible to script kiddies who could use it for their malware and hacking operations. Users are advised to always check the URLs of pages they are viewing. Also, product updates should be downloaded from the vendors themselves to ensure that these are legitimate and not malicious.