Spammed YouTube Comments Promote Adware – Successfully

(Update, July 11, 2011:  On May 25, 2011, we were contacted by representatives of Future Ads, LLC, the parent company of both Playsushi and Gamevance.  Future Ads informed us that they, too, had been victims of a scam perpetrated by rogue affiliates who seemed to be involved with the malicious campaigns we described in this post.  Future Ads claims that it has taken action to prevent this type of abuse from happening in the future.)

By Curtis Fechner and Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

I was poking around at the end of the work day last week, checking out the newly-released trailer for X-Men: First Class. But something in the comments caught my eye: The two highest-rated commenters don’t appear to be human. Their messages invite readers (using some goofily accented characters) to visit a profile and see the whole movie.

I’m sure the film’s director, Matthew Vaughn, would also love to see that, especially because he may not have finished shooting the movie yet. And, of course I wanted to see just how they’d manage to get  “this entîre leekêd-movìe” or “the complête leekêd-film” in their user channel, given the absence of a completed film, let alone YouTube’s limits on video length.

When I click through to the profile, it suddenly makes sense. The profile links to an outside site where (the profile’s owner claims) you can watch the full movie. It only took 13 thumbs-up clicks on those comments to make those comments the most popular, but a real user isn’t going to ‘like’ glaringly obvious comment spam. The comments are probably being boosted by the spammers themselves. With just under 7 million page views, this is apparently an effective scam. Not good!

So I decide to follow the link in the movie description, a custom shortlink. is awesome for researching this kind of stuff because all you need to do is put a + sign at the end of the shortlink to get to its “info page” with click-through traffic reports. As of today, more than 343,000 people clicked the link, which has been floating around since last summer.

So where does that link lead? To a junky Web site called LeechTV that claims to let you watch new release movies for nothing. If you follow the link, you end up on a nicely formatted page.

If you bypass, however, and go directly to the link that points to, it starts to become painfully obvious that LeechTV is some sort of scam, because the page that appears looks almost identical to fake streaming video pages that have been in use by malware distributors for more than 18 months.

I clicked the link to check out the movie No Strings Attached. The page turns into a fake YouTube embedded video (fake because, even though it has the YouTube watermark and video duration consistent with a feature film, the “video” isn’t actually coming from YouTube – it’s a Flash SWF hosted on the same Web server).

When you click the “video” it starts “playing.” You get a little ways into the studio intro…

…and then the fun begins.

Oh no! I have to play Frogger to verify that I’m human? Well, that explains why there was a screen capture of Frogger on the YouTube spammer’s profile. So, let’s play Frogger.

But oh, what’s that in the tooltip for that Frogger link? Gamevance? What?

And sure enough!

Meanwhile, back on thranch LeechTV “movie player” page, it’s still waiting:

Survey, what? Well, whatever. I installed Gamevance on my testbed and then went back to the page, and lo and behold:

Oh look, it decided to give me a download link to get the whole movie.

But that doesn’t look right. Oh, look. CPAlead. Now I know where I’ve seen this before. Welcome to the world of CPA fraud, where you can deceptively advertise a clearly illegal service, just to convince people to install adware on their computers, and there are almost no repercussions.

Oh, brilliant. A link to download a Bittorrent .torrent file, that doesn’t even exist…

…for a completely different movie. Way to go, scam artists, leading unsuspecting people into the world of illegal file sharing.

Whoever is behind LeechTV — their domain registration information is hidden behind’s private registration service — may simply be a money-grubbing rogue affiliate of Gamevance.

The other domains hosted on the same IP address indicate that someone is using this particular IP address to host Web sites involved in some sub-optimal search engine optimization. They appear to be trying just to get people to install Gamevance. Perhaps they get paid per installation. In any case, this distribution method falls in the “not remotely ethical” camp, and under the circumstances, it’s probably best that you not install software from a company which uses a mail box drop address as their official business address and hides its domain’s registration information behind yet another private registration service. wordpress blog stats

9 thoughts on “Spammed YouTube Comments Promote Adware – Successfully

  1. Pingback: Facebook-Spamming Worm Wants Your Eyeballs « Webroot Threat Blog

  2. Hey awesome article. i just spent 15 mins trying to do surveys for leech tv to watch Resident evil Retribution. i thought it waas a scam. so i looked up leechtv. finally found your article thank you soo much. can quit wasting time there now. wish i could forward your site easier to people.

  3. wow i have absolutely no idea leechtv was a scam until i read this

    there seems to be a bunch of stuff saying you can bypass the survey but i never could get any of them to work

    thanks for the article

  4. Pingback: All Things of World

Join the Conversation

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s