Enterprises are increasingly using YouTube as their vehicle for hosting internal an external videos. However, researchers at vendor Trend Micro have discovered that criminals are exploiting the popularity of site by finding ways to place malicious ads there in hopes viewers will click on them.

Their tool is an exploit kit dubbed Sweet Orange, which leverages vulnerabilities in Internet Explorer, Java and Flash.

“The ads we’ve observed do not directly lead to malicious sites from YouTube,” the researchers said in a column. “Instead, the traffic passes through two advertising sites, suggesting that the cybercriminals behind this campaign bought their traffic from legitimate ad providers.”

The overwhelming number of victims in a 30-day period were from the U.S., the column adds.

“In order to make their activity look legitimate, the attackers used the modified DNS information of a Polish government site,” says the column. “The attackers did not compromise the actual site; instead they were able to change the DNS information by adding subdomains that lead to their own servers.” At the time of writing how the hackers were able to do this was unclear.

The traffic passes through two redirection servers (located in the Netherlands) before ending up at the malicious server, located in the United States.

Users who keep their systems patched won’t be affected by this attack, says Trend Micro. For example, Microsoft released a patch for this particular vulnerability in May 2013. Still, note that old vulnerabilities are still being exploited by attackers.