Hackers Used Malware to Fake Views on Pro-Russia Videos

A group of cybercriminals has been infecting victims with malware, using them to inflate views on pro-Russian videos in an attempt to make them go viral, according to new research by security firm Trustwave. The videos identified by the researchers all appear to be pro-Russian, such as a one from the Iranian English-language broadcaster PressTV that quotes a Russian Parliament member justifying the annexation of Crimea. The goal of the operation, according to Trustwave researchers Rami Kogan and Arseny Levin, was to artificially increase the popularity of a video and make it more visible to users of the site Dailymotion. Victims got infected by visiting a compromised website that surreptitiously installed on their computers an exploit kit, which is an off-the-shelf software package containing easy-to-use attacks, along with a trojan virus, according to the researchers. The virus then forced the victim's computers to load some videos in a hidden desktop, so that victims weren't even aware they were viewing clips. Victims' computers were also forced to browse sites filled with ads, likely in an attempt to create revenue for the criminals behind this operation. "We have seen hacks that are motivated by money and other 'hacktivist' attacks that are motivated by politics," Karl Sigler, the threat intelligence manager at Trustwave, told Motherboard. "This current campaign shows that those two motivations are starting to evolve and blend together." It's unclear who's behind this particular operation, Sigler said, but it's possible that the criminals who spread the exploit kit and the malware only had the goal of making money, while someone else paid them to inflate views on the propaganda videos. Andrea Stroppa, an independent security researcher who has studied social media fraud, said that using malware this way is nothing new, but that he's never seen it in the context of promoting a political agenda—although it's not surprising, since it can be very effective.

"You only see the results of this invisible propaganda," he told Motherboard. "But until someone uncovers it, nobody knows anything."

Using malware to make videos go viral is easier and cheaper than buying fake views, he explained. It's also more likely that the video site will not flag the views as fake, since, effectively, they come from real people. Companies that sell views, on the other hand, do it using botnets, network of computers that can be controlled remotely by hackers. But the problem with botnets is that their IP addresses can get blacklisted if they view too many videos, Stroppa said.

"You use malware to have legitimate connections," Stroppa said. "Using the IP addresses of infected victims the connection is apparently legitimate." The researchers found out that these videos had fake views because they all had a very similar, high (more than 300,000 at the time they checked), number of views but zero social media shares. Furthermore, a large number of views seemed to all come at the same time, according to the video's statistics. UPDATE, 04/30/2015, 5:24 ET: DailyMotion's technical team is investigating this issue and "will take appropriate measures if needed," Amadea Choplina, a company spokesperson, told Motherboard.

"We take this kind of potential misuse seriously," she said.