YouTube dislikes for sale, DDoS-style
Fri 4 Sep 2015
Apparently it’s a thing now – YouTube dislikes as a purchasable commodity in the same manner that hackers buy and sell Dedicated Denial of Service attacks.
Dell’s Joe Stewart posted today regarding the undermining in this way of certain videos relating to the ‘Batteriser’ product, a sheath which claims to extend battery life, over at a popular YouTube channel by tech reviewer and pundit Dave Jones. The objective behind firing an avalanche of downvotes at a YouTube channel is, presumably, to undermine whatever cachet it retains with its viewership, and to hobble any commercial advantage or market share it may be striving to achieve through it.
Jones himself has detailed the onslaught in the Eev Blog, and provided an accompanying video journal of the anomalous statistics:
‘Dislike’ statistics for videos that Jones posted soared out of all relation to the general number of recorded video views for anything he posted about the Batteriser product – or even for any posts which touched on the subject of extending battery life without directly mentioning Batteriser.
Stewart notes the Vietnamese provenance of the ‘dislike attacks’, and concedes that the original actors involved could simply be proxying their requests through Vietnam. So one can’t blame Vietnam, for sure. Neither can one blame Batteriser, whatever one thinks of the circumstantial evidence, due to the anonymising nature of internet-based attacks of this nature, and the fact that causing damage to a company’s reputation is potentially valuable to its competitors. Jones believes that exchange-rate disparities make viable and profitable a country-wide ‘cottage industry’ of ‘YouTube dislikers’, presumably working in concert or with ‘appropriated’ YouTube accounts.
But in terms of a practical approach to an attack of this nature, Stewart prefers an infrastructural explanation, and notes that the unusually consolidated nature of the Vietnamese network is ripe for the mass-replication of router exploits. He explains:
‘In Vietnam, the Internet is provided by only five ISPs, even though it ranks 16th in the world in the number of Internet users, with tens of millions of subscribers. This means there are potentially millions of users all with the same broadband router model. If a vulnerability in the broadband router is found, it can be widely exploited, as happened last year with the Vietnamese ISP FPT. They provide a fiber-optic broadband router (model number EP9108W-4PE) to their subscribers in certain provinces. This model was reportedly hacked en masse and customers of the ISP had their routers hijacked/credentials changed, locking them out.’
Stewart notes that using Shodan’s device-based search engine it is possible to discover a million web-facing modem interfaces in Vietnam that are likely to be operating with factory-set default user/pass combos, and that even where default access is not possible, a minimum of device analysis or brute force scanning would be needed to open up the devices for recruitment into a YouTube-facing horde-net.
Though this configuration does not follow the conventional pattern of a proxy-based attack, it can function to similarly devastating effect when aimed at a single target such as a YouTube channel, and where the ‘damage’ to be inflicted is of a ‘social’ rather than a more easily detectable network nature.