Just because a site is reputable doesn't mean you're completely safe on it – and YouTube is no exception. 300 hours of video are uploaded to YouTube every minute, a staggering statistic. Combine this with the over one million advertisers who use the platform, and you get the idea of how much information YouTube needs to filter in order to keep links off the site.

And stuff does fall through the cracks. There are links below articles that redirect users to malicious sites, and a few malicious ads have also worked their way through. This isn't to say that YouTube is inherently unsafe, or worse than similar sites: it's just to say that there's always a potential for malware infections.

We've shown you common sense tips to avoid catching malware, and the same basic ideas apply to YouTube.

  • Don't click links that promise you free movies.
  • Don't download anything from a site you're not sure you can trust.
  • Understand how phishing works.
  • Make sure you have up-to-date malware protection.

With this in mind, let's look at a few ways you might end up with malware on YouTube.

You're browsing YouTube when you remember there's a movie you want to see. Wondering if the movie is on the site (you never know), you run a YouTube search and wow: there's a video, with an appropriate title, length and thumbnail!

Did you actually find the movie? No. You found this:

So you guess the movie isn't here – just a movie-length static image pointing out a link in the description. So you check the description, and there's a link alongside some SEO-inspired repetition:

Yeah, don't click that. You'll almost certainly be redirected to another fake site, with a fake video player that looks like it will give you the movie. You'll be told to sign up for something, or download something, and will probably end up with some malware on your system.

YouTube does offer full-length movies – some are free, others you have to pay for. But such films will never, ever require you to click a link in the description in order to watch. If such a link does work, it will almost certainly be a pirated copy of the movie. Piracy is often funded by deceptive ads and malware, so don't be surprised if you end up infected either way.

Sweet Orange: Malicious Ads Snuck Through

sweet-orange-malware-youtube

But it's not just people who want a free movie who can get malware from YouTube – everyday use could be dangerous too, apparently. Back in October, Trend Micro reported that YouTube ads were infecting viewers, mostly in the US.

The ads in question – since taken down – were shown alongside a variety of popular videos, and redirected users to malicious sites where they became infected. This particular vulnerability targeted Internet Explorer users, but only infected people using an out-of-date version of Microsoft's browser. Consider this a reminder that you always need to install that security patch as soon as possible.

But this isn't entirely the user's fault: YouTube has policies that are supposed to prevent ads from pointing to malicious sites. How did these ads get around that restriction? Apparently they didn't point to malicious sites – they pointed to sites that redirected users to another site, which in turn redirected users to malicious sites. This workaround stopped YouTube from noticing the malicious links.

It goes to show you that you never know where malicious links show up, and that you should always be careful about what you click.

Tubrosa: Creating Fake Views For Profit

Strictly speaking, Tubrosa isn't a piece of malware you can get from YouTube, but it's interesting nonetheless.

YouTube creators can make a decent living creating videos, if they get enough views – but building a loyal audience is a lot of work. Looking for a shortcut, some intrepid malware creators designed Tubrosa, which your computer can infect your computer if you open a spam email message. Should you do this, your computer will start "watching" YouTube videos without you realizing it. Your PC will become a zombie that watches YouTube videos all day – you won't notice this is happening, because Tubrosa mutes the videos' volume.

youtube-views-malware

(I'm not saying that this is how Gangnam Style got all those views, but seriously – who's still watching this video? How does this number keep going up?)

Why do the malware makers bother? For the views. If enough infected computers "watch" the videos in question, YouTube will pay the "content creators" a cut of the revenue they generated. YouTube tries to detect such fake views, but the malware creators are betting they'll be able to cash in before that happens.

Stay Safe Out There!

Remember: if something seems too good to be true, it probably is. Avoid clicking links and ads that promise to give you anything for free, or otherwise seem disingenuous.

And protect your kids! Schools should look into YouTube for Schools, which blocks everything on the site that's not educational – it's a safer, less distracting version of the site. Parents should check out YouTube kids, which removes everything that's not kid friendly.

But I want to know what you think: how can you stay safe on YouTube? Leave your tips in the comments below.