Security researchers have discovered that hackers are using bots to spam YouTube channels with a significant number of dislikes, in order to deliberately demote videos ranked by YouTube's view recommendation system.
YouTube is increasingly becoming a great source of uncensored, agenda-less citizen journalism, but there will always be people who dislike your opinion. Politically-motivated hackers, like Anonymous, often take websites offline to make a point, but unfortunately, it would take a gigantic amount of bandwidth to bring YouTube down.
So what do hackers, extremist supporters and other unscrupulous types do instead? They try to discredit YouTube videos by pressing the thumbs-down "dislike" button on YouTube pages, which makes the videos less likely to be recommended to users.
YouTuber Dave Jones, who runs the EEVBlog channel for engineers and techies that reviews electronics, noticed on 2 September that he had received hundreds of dislikes on his 30 August video debunking a product called Batteriser, which claims to greatly extend the life of alkaline batteries.
Jones said in another video highlighting the issue that he usually never gets so many dislikes on any other topics he blogged about, and soon other bloggers posted on the EEVBlog website forum complaining of similar numbers of dislikes linked to Batteriser-related videos.
YouTube dislikes for sale
Together, the bloggers soon realised that all the dislikes were originating from the same location – Vietnam – and Jones suggested that his videos were being deliberately targeted, possibly by a pay-per-click firm in Vietnam paying people to deliberately repeatedly click on and spam his videos with dislikes.
While this could indeed be the case, researchers from Dell SecureWorks believe that the service being offered goes even further than that. They submit that the dislikes spam could in fact be coming from one single computer containing thousands of fake or hijacked YouTube accounts programmed to repeatedly click on the dislike button of a specific video.
Rather than using a botnet of many hijacked computers or a network of open proxy servers across the globe, the researchers believe that the hackers could be using Vietnamese IP addresses to hide the activity coming from just one machine, because millions of users in Vietnam use the same broadband router model.
FPT Telecom is one of Vietnam's five major internet service providers. In November 2014, FPT Telecom fibre-optic broadband routers were hacked en masse using a router vulnerability that enabled hackers to hijack routers and lock FPT's customers out.
Vulnerable routers are a hacker's dream
"All it takes to bounce traffic through a vulnerable broadband modem is to know the standard administrative username/password pair used by the ISP, something trivially obtained by analysis of the device's firmware image or even by brute force scanners," wrote Dell SecureWorks researcher Joe Stewart in a blog post.
"Once you can configure the modem, you can set up port forwarding and relay traffic inbound to a specific TCP port to an outside site (i.e. YouTube). This isn't a proxy in the conventional sense, where one can arbitrarily tunnel all HTTP traffic through another IP, but it can work in essentially the same way for a single destination site."
Since computer operating systems are being more resistant against being hijacked to join botnets, cybercriminals are starting to look to vulnerable routers with open interfaces as their new meal ticket, so ISPs and router vendors need to step up security measures and educating the public, warns Stewart.
"It wouldn't surprise me if this were true. There's been a long history of services offering to 'game' your social media presence, either adding fake followers or bogus video views, so why shouldn't they also offer to increase dislikes for rivals too?" security expert Graham Cluley told IBTimes UK.
"One challenge for these dodgy services is that they need to avoid detection – and one way they can attempt to do that is by compromising innocent users' computers or broadband routers. We know that many people have poorly defended routers, perhaps with no password, a default password, or that have failed to apply security patches, so it's unsurprising that they would be a target."
IBTimes UK has contacted YouTube for comment and is waiting for a response.