Concerned about VPN vulnerabilities? Learn how you can benefit from our VPN migration offer including 60 days free service.

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Fake Youtube Page Used To Infect Soccer Fans

July 09, 2010 - 2 min read

Attackers are using the excitement surrounding the World Cup to attack users. As we've shown earlier, they have posted links to fake live streams on social networks, or used BlackHat SEO spam to infect the top soccer-related searches.

Attackers are constantly changing the way the operate. Recently, I found a malicious page for the search term "world cup extra time rules", which does not have the common traits of a spam SEO attack for a fake AV page.

The Google result is actually a fake YouTube page (see screen shot below). The page is comprised of three parts:

  • HTML and images display a fake YouTube video page
  • Hidden HTML (a
    tag moved outside of the screen) stuffed with keywords for "world cup extra time rules" in order to rank well in searches
  • Obfuscated Javascript which redirects the user to a different domain





Fake Youtube page on

The obfuscated Javascript loads a Flash file which attempts to download files to the user's computer and then redirect them to, a hacked site hosted in France. This flash file is detected by 6 out of 41 antivirus vendors as malicious.

The hacked French site then redirects the browser to a fake AV page. I've seen redirections to four different fake AV domains, and only one of them was blocked by Google Safe Browsing - was blocked while, and were not. I also witnessed six different versions of the fake AV page. One seemed to be broken, it displayed the "loading..." animation, but did not ultimately deliver fake AV page. Instead, it directly attempted to download the malicious executable. Here is the screen shot of the five variations of the fake AV page:








-- Julien


form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.