DCA’s New Report on Enabling Malware

Enabling Malware

Andrew Orlowski reports at The Register that last week Google quietly suspended its legal action to “muzzle” an investigation by Mississippi Attorney General Hood into whether or not the search giant was abiding by the terms of its 2012, non-prosecutorial settlement with the government over illegal online sales of prescription drugs.  Any explanation of Google’s change in strategy or the future of that investigation are subjects for another day.  But the fact that AG Hood was ultimately not stymied—either by litigation or by a brazen attempt in the State House of Representatives to legislatively tie his hands—is probably good news for American consumers because State Attorneys General “often act as the de facto consumer protection arm in their respective states,” notes a new report published yesterday by Digital Citizens Alliance.

Following up on its December report, which presented a look into the scope of the malware hazard for consumers who visit content-theft sites, DCA and RiskIQ have again collaborated to begin looking at the hosting services that either inadvertently or knowingly support illegal sites, which then endanger consumers.  The hosting services in this regard are particularly relevant because they are not shadowy operators based in hard-to-reach geographies but are legal corporations with offices in the United States.  As such, the news that Google will now look to “cooperate with AG Hood” rather than remain on the offensive comes at a good moment for consumers.  This is because DCA notes that state AGs will be the first authorities who may choose to investigate US-operating hosting services to determine their role in fostering the dissemination of malware.

The December report called Digital Bait revealed the likelihood (about 30% in some cases) that users of content theft sites would infect their devices with malware, and the report also identified the various types of malware being deployed in order to steal information and/or assets from consumers.  Digital Bait also presented a glimpse into the dark web-based economy where criminals engage in transactions like selling the IP addresses of a girl’s computer or even a cybercriminal paying content-theft site owners to deliberately host malware on their sites.  The report contains some eye-opening statistics like the one from the DOJ, which states that 16.2 million American consumers have been victims of identity theft, incurring financial losses of more than $24.7 billion.

The report released yesterday, Enabling Malware, looks at two hosting companies, each of which responded very differently when DCA contacted them with their findings.  The first was CloudFlare, which is “known for its willingness to support, or at least overlook, illicit activities,” the report states.  CloudFlare is a hosting service that is specifically designed to mask the identity of site owners and of the true hosting site of any content, whether the content is legal or not.  The site’s blog reads, “Signing up for CloudFlare is like taking your number out of the phone book, and putting in CloudFlare’s number under your name.”

This type of service can be (and is) used by journalists or bloggers operating in locations with authoritarian governments or other hazards to free speech and reportage.  But it is also a natural hosting choice for content-theft site owners, thus earning the service the nickname “CrimeFlare” among cyber-security experts. DCA contacted CloudFlare with regard to its hosting sites like Putlocker and Animex, both of which were identified in the Digital Bait report as delivering malware to users.  CloudFlare did not respond until a day or two before the release of this new report and wrote the following:

“CloudFlare’s service protects and accelerates websites and applications. Because CloudFlare is not a host, we cannot control or remove customer content from the Internet. CloudFlare leaves the removal of online content to law enforcement agencies and complies with any legal requests made by the authorities. If we believe that one of our customers’ websites is distributing malware, CloudFlare will post an interstitial page that warns site visitors and asks them if they would like to proceed despite the warning. This practice follows established industry norms.”

In other words, CloudFlare is not going to do anything unless authorities make them.

The other hosting service DCA and RiskIQ looked at was HawkHost, whose support includes watchfreemoviesonline.top, which was found to have a 32% malware exposure rate in the research conducted for the Digital Bait report. When DCA contacted HawkHost, the company’s response was very different from CloudFlare’s, stating that the sites identified by DCA would be taken down because they “clearly violate our TOS/AUP,” according to CTO Cody Robertson. Additionally, executives at HawkHost have agreed to meet with DCA to discuss findings linking malware with content theft sites and to look for ways to better protect consumers.  DCA commends HawkHost, stating that they find the company’s response “an encouraging sign.”

DCA and RiskIQ will continue to study the link between content-theft sites and malware, as well as the legal hosting services that operate in the United States, which may be supporting malware-infested sites. These findings will be presented to State Attorneys General, who then have the authority to investigate the extent to which a particular hosting service may or may not be willfully turning a blind eye to illegal enterprise that is directly harming American consumers.  So, as mentioned, beyond any implications regarding the Google investigation itself, last week’s affirmation of AG Hood’s authority in that case is likely a good sign for protecting consumers in general from the chronic I-Didn’t-Know-Defense too-often employed by various OSPs.

Enjoy this blog? Please spread the word :)