Vodlocker.to offers a handy video embed tool which several smaller pirate streaming sites have grown to rely on. Starting recently, however, the site also appears to have become the source of a rather nasty JavaScript-based DDoS campaign, which uses the unwitting viewers of these embedded videos to take out several pirate streaming sites.

Last year we highlighted a rather interesting service which makes it easy for anyone to embed a pirated movie.

Requiring only an IMDb number, Vodlocker.to allows anyone to embed videos, many of which are pirated.

This turned out to be a welcome feature for many smaller site operators, who use basic scripts to set up a streaming portal with minimal investment. In exchange, Vodlocker can serve some extra ads on these sites, which makes it a win-win for both parties.

More recently, however, it appears that ‘someone’ has added some extra code to the Vodlocker site that does more than streaming video or placing ads. As a result, the embedded videos are also being used to DDoS certain video streaming portals.

Looking at the source of the embed pages, we see a piece of JavaScript that attempts to load content from external sites. This is triggered by unwitting visitors; not once, but dozens of times per second. The smaller sites in question, understandably, collapse under this load.

The script



When we checked the site on Monday, Rainierland.com and Movie2k.st were being targeted, resulting in downtime. Today, the code has been updated and it’s now pointing movie4k.is, which is mostly unreachable as a result.

Movie4k.is attack in action



It’s not clear what the motivation for this attack is, or if Vodlocker is perhaps compromised, but it appears to be an intentional effort to take these streaming sites down.

Before the weekend the German news site Tarnkappe reported that another site, Filmpalast.to, was suffering from a similar DDoS attack.

Many of the sites that rely on these Vodlocker.to embed codes probably have no idea that they are participating in the attacks. The same is true for their visitors, who are unwittingly transformed into an army of stream-watching DDoS bots.

We contacted several of the affected sites for a comment but haven’t heard back. Vodlocker.to has no contact address listed, so we haven’t been able to reach out to the site itself.

The JavaScript-based attack itself isn’t new. Cloudflare previously highlighted the problem, describing it as a growing issue on the Internet.

“If an attacker sets up a site with this JavaScript embedded in the page, site visitors become DDoS participants. The higher-traffic the site, the bigger the DDoS,” Cloudflare explained in a blog post some years ago.

“Since purpose-built attack sites typically don’t have many visitors, the attack volume is typically low. Performing a truly massive DDoS attack with this technique requires some more creativity.”

In this case, there appears to be enough volume to take smaller sites offline. Not only are there a lot of sites who rely on the Vodlocker.to embeds, the visitors generally keep their tabs open for a more than an hour, while they’re watching, continuously hammering away.