SAN FRANCISCO – Savvy Internet users know that downloading unsolicited computer programs is one of the most dangerous things you can do online. It puts you at great risk for a virus or another time bomb from a hacker.
But even some sophisticated surfers could get taken in by a sneaky new attack in which criminals create fake YouTube pages — dead-on replicas of the real site — to push their malicious software and make it look like it's safe stuff coming from a trusted source.
A program circulating online helps hackers build those fake pages. Users who follow an e-mail pointing them to one of the pages would see an error message that claims the video they want won't play without installing new software first.
That error message includes a link the hacker has provided to a malicious program, which delivers a virus.
Even worse: once the computer is infected, it's simple for the hacker to silently redirect the victims to a real YouTube page to see videos they were hoping to see — and hide the crime.
"It's spot-on accurate, and that is scary," said Jamz Yaneza, threat research manager for security software company Trend Micro Inc. "If I were watching YouTube videos all day I would probably click on this one."
The tactic itself isn't new: There's a constant push by criminals to build more convincing spoofs of legitimate sites to trick people into downloading harmful software. And the latest attacks don't target any vulnerability in the YouTube site.
But it highlights the fact that criminals are getting better at creating bogus sites and developing so-called "social engineering" methods to fool people.
Fortunately, truly alert Internet users can still see the telltale warning signs with the fake YouTube pages.
For one, the Web browser won't show the real YouTube's Internet address. And to even see the malicious page, you have to first follow a link that's sent to you, which is often a tip-off that you should independently verify whether the site is legitimate.