Apropos my recent response to the EFF’s standard policy of shrugging at online piracy, I want to highlight one paragraph from the post to which I replied. Katherine Trendacosta wrote:
From the fever-pitch moral panic of the early 2000s, discussions about “piracy” disappeared from pop culture for about a decade. It’s come back, both from the side explaining why and the side that wants everyone punished.
Aside from the statement being inaccurate—discussions about piracy have persisted (often quite heatedly) every year since the Napster days—I cite the quote here because its sarcasm derives from that common fallacy which asserts that Piracy is a victimless crime. No it is not.
If one wants to cling to the rationale that because certain artists are wealthy, piracy is therefore harmless to creators, fine. Whatever. But the fact that EFF and other “digital rights” groups so consistently echo the alleged “harmlessness” of piracy suggests that they’re not terribly concerned about the broader security threats posed by this $2billion/year, global, criminal enterprise.
In a new report published yesterday, Digital Citizens Alliance tells us that the 500 pirate sites studied in its latest research—there are thousands of pirate sites—earn at least $121 million per year just by hosting “malvertising” (i.e., ads designed to deliver malware). Entitled, Unholy Triangle, the report was produced in collaboration with brand safety organization White Bullet and cyber security firm Unit 221B. It describes a symbiotic relationship between malvertisers and pirate sites—two sides of the triangle—and the various ways these parties profit by endangering visitors to pirate platforms—the third side of the triangle.
Highlights from the Report
Researchers found that among the sites studied, 8 in 10 were littered with ads specifically created to entice clicks that will instantly download malware to a device or network. One out of every six visits to pirate sites, the report says, will encounter an attempted malware attack. The most popular type of bug is ransomware, but the researchers also found trojan horses and other malware used to obtain personal or financial information and/or to take control of devices. Of that $121 million annual revenue the pirate sites acquire from serving malvertising, the report states that more than half ($68.3 million) came from U.S. visits.
Among the most compelling, albeit ironic, details revealed by the report is that the majority of ads used to trigger responses are based on fear—specifically, fear of malware! It seems that because many pirate site visitors know they are exploring illegal and sketchy platforms, they are more susceptible to pop-up and pop-under ads warning them that their devices may be infected, or that they should make changes to their devices to ensure their security or anonymity.
A visitor clicks that ad offering to protect her device, immediately downloads malware, and within minutes, her files are locked up, and she will soon receive a ransom demand promising to release those files for $800 to $1,000—in crypto, of course. Even people who pay these ransom demands report that, at best, they get about 65% of their data back, and there is no reason to assume that the hacker(s), who this report indicates are mostly located in Russia, will restore any data once they’re paid.
Ad Intermediaries Facilitate Sketchy Ads
DCA notes the success of initiatives like the Trustworthy Accountability Group (TAG), which launched in 2015 to extricate the legitimate advertising industry from the piracy business. But, the report describes certain advertising intermediaries that seem to straddle the legal and illegal trade. For instance, researchers focused on intermediary RichAds, which the report describes as follows:
RichAds is an advertising company that touts its ability to capture new quality leads from premium sources through its productive ads. The company is listed as being based in Cyprus, with many of its employees listing Belarusian universities as their alma maters on LinkedIn. It promises to deliver the best traffic and claims, on its LinkedIn page, that “We block any bot or other fraudulent traffic.”
Researchers sent the ad shown here for approval and received a “no problem” message from RichAds. This was hardly surprising because, looking a bit further, it appears that this intermediary is not just turning a blind eye to malware campaigns but is promoting its services to facilitate malvertising on pirate sites. “In the case study [used to promote itself], RichAds highlights how the customer relied upon the company to generate and place ads that ‘warned’ users that a virus was detected on their devices and they needed to update their antivirus software,” the report states.
National Security Implications
With operators in countries like Russia and Belarus—and with more than half the malvertising revenue (measured in this report) being generated by American visits to pirate sites—questions about national security come to mind. No, I am not saying that some teenager in Indiana illegally streams Stranger Things, and the power grid shuts down—and neither is DCA. But with more telecommuting and connections between critical enterprise databases to personal networks, the vulnerabilities to the former have increased, and enterprises are big fish for ransomware hackers.
Whether there is any crossover between the private malvertising industry and state-directed hacking aimed at the U.S. is a matter of speculation, but as the DCA report puts it:
Russia, China, Iran, and North Korea make up half of [all ransomware attacks]. As their primary target is the United States, it’s a safe assumption that the motivations go beyond financial to geo-political with national security implications. Those concerns have some states reconsidering the protocols for dealing with an attack on government operations.
Clearly, even if one does not give a RAT’s butt about creators’ works being illegally distributed, piracy is not a victimless crime. On the contrary, a substantial and growing revenue stream for the pirate site operators is, in fact, a trade in victims. Whether it’s slaving personal computers, identity theft, or delivering ransomware to a pharmaceutical company, malware is big business, and piracy sites continue to be an excellent super-spreader.
After about ten years of reading DCA’s reports, this recent one comes closest to at least implying that media piracy can be a vector for malware attacks on something larger than personal computers. Assuming that’s not an exaggeration, the “digital rights” groups may need to drop the false narrative that mitigating piracy comes at the cost of online “freedom.” Site blocking, technical measures, and other means to interdict the piracy trade become very different conversations, if we are indeed talking about critical supply chains and not just “Hollywood.”
 The report cites Paul Watters, who “found it typically takes just 42 seconds for an “advanced persistent threat” such as malware to infect a Windows device and 78 seconds to infect an Android device.”