“A few weeks ago, we noticed a two-component click-fraud malware (detected as Trojan.Tubrosa) taking advantage of the YouTube Partner Program. The attackers compromise victims’ computers with the malware and use them to artificially inflate their YouTube video views. This allows the scammers to take advantage of the YouTube Partner Program validation process and monetize their fraudulent activity.” states a blog post published by Symantec.
Symantec experts estimated that the scammers have so far earned several thousand dollars via this particular campaign. It’s impossible to know, but it’s likely they are running other similar ones at the same time.
“The YouTube Partner Program uses a validation process in order to verify that the user’s account is in good standing. In order to bypass Google security checks, the malware dynamically changes the referrer (REFS.txt) and the useragent (UA.txt) using two PHP scripts. This allows the malware to pretend to be a new connection to Google servers, appearing like a different user is connecting to the same videos,” reports Symantec.
To prevent computers from being compromised with click-fraud malware such as Trojan.Tubrosa, Symantec suggested the respect of the following best practices:
(Security Affairs – Click-fraud malware, YouTube)