A feature on YouTube that enables users to share videos with friends is being exploited by spammers to deliver junk mail, security experts have warned."YouTube users have a facility where they can invite their friends to view videos that they are looking at or have posted," said Bradley Anstis, director of product management of email security firm Marshal. "This effectively allows them to email to any address from their YouTube account. This is the functionality that the spammers are exploiting."
Anstis said the attack is largely US-based and is making up about one per cent of all spam collected by Marshal. The company studies roughly 15 million spam messages each day delievered to its 40 honeypot accounts across the world.
The fraudsters place their spam messages in the form field meant for the sender to include a personal note for their friend, Graham Cluley, senior technology consultant for Sophos, said.
The junk messages try to lure recipients to visit either a singles website or a site to retrieve a free copy of "Halo 3", an Xbox 360 video game, according to Marshal and Sophos.
Cluley said the campaign, which so far has been limited in scope, is unique.
"They're not using a zombie computer," he said. "They're not forging the entire email. In fact, they're not actually sending the email. YouTube is sending the email. [Spammers] are always looking for new ways to get their messages out."
The attack could be successful because the spam comes from a normally trusted source, experts said.
"The key purpose of attacking YouTube is to defeat spam filters and to lower the recipient's guard," according to Marshal. "The spam comes from a big-name company, from an email address which may already be excluded from spam filtering."
YouTube, in its help section, actually encourages users who are not receiving shared videos from friends to make sure the "firstname.lastname@example.org" address is removed from their spam filters. All shared videos originate from that address.
Still, Cluley said he doubts the assault will result in a cash cow for spammers.
"It's not a convincing way to sell someone something," he said. "If you look at the screenshot [of the attack], it's not a clickable link. You have to type it in manually. I can't believe that many people who receive it will act on it. Of course, there are always people who will respond to spam campaigns."