I imagine most people, whether they’re users of pirate sites or not, haven’t paid much attention to the growing number of safety warnings associating content theft with identity theft and related crimes against consumers. For one thing, the whole idea of media piracy itself has, for too long, enjoyed undeserved credibility as a so-called victimless crime performing a social good broadly described as “sharing.” Or it’s been framed in economic terms by various pundits as a natural market reaction to outdated distribution and pricing models. And more than a few notable Internet activist organizations have either explicitly or implicitly evangelized the notion that piracy is fundamentally free speech, which enables said activists to label various efforts to mitigate piracy as “chilling speech.”
But over the last year or so, several studies have been conducted—I believe I have cited most of them—which demonstrate that piracy is one thing for sure: dangerous. Anyone with a computer, a bank account, a business, children, etc. should probably set aside both their preconceived attitudes and their ambivalence on the subject of piracy and read this new report commissioned by Digital Citizens Alliance (DCA) and conducted by RiskIQ. Here’s just one hypothetical scenario that can happen to anybody:
You don’t visit pirate sites yourself, but your kid might without your knowledge, or even without necessarily knowing what he’s doing. Maybe he was just looking for mods for Minecraft or innocently trying to watch some anime cartoon, and you’ve never worried much whether he’s visiting legal or illegal sites. But simply by stumbling onto a pirate site, this new DCA report indicates that your kid is at least 28 times more likely to infect the family computer with malware that can be used to drain your bank account, slave your computer for ad fraud (as described in my recent post citing the IAB report), or seize control of your computer to hold for ransom with a 72 hour window to pay several thousand dollars or kiss your data goodbye.
The DCA/RiskIQ report is aptly named Digital Bait in that it studies a growing sophistication among cybercriminals in the use of content theft sites—and presumably even misleading “free content” links—to hook users by downloading truly insidious malware to their devices. Businesses and entrepreneurs are particularly vulnerable to Denial of Services attacks in which the hacker takes down a website and demands a considerable ransom in order to restore the site to public visibility (y’know in the name of free speech and all).
RiskIQ estimates, just from the sites within the scope of this study, that 12 million U.S. users per month are being exposed to malware attacks, and DCA says this is merely the tip of the iceberg. According to the U.S. Department of Justice 16.2 million consumers have been victims of identity theft representing financial losses totaling more than $24.7 billion. And the problem is currently growing in both scope and sophistication in the cybercriminals’ ability to use malware to scam their victims.
For instance, one of the more disturbing developments in malware is that a user no longer has to click on an infected link to contract the virus. Called “drive-by-downloads,” the Digital Bait report estimates that 45% of the malware in the scope of its study can be delivered invisibly without requiring the user to click on anything. The report also indicates that more than half of the malware being delivered are Trojans, and many of these are Remote Access Trojans (RATs), which I discussed in this post after DCA published a report on this relatively unsophisticated form of hacking. Individuals can buy any of several RAT software kits for a few hundred dollars and start controlling a victim’s computer with an easy-to-use graphic interface that requires little-to-no coding skill. RATs can be used to harvest financial information or to spy on victims, including turning on webcams and microphones. Personal data can then be used for ransom; or IP addresses, particularly of young girls, may be sold in a black market exchange.
Not surprisingly, the report identifies that all of this growing malware activity is supported by a mature, underground “crimeware economy” operating on the Dark Web. To quote the report:
“The DarkNet allows individual hacking groups to specialize in specific categories and to earn money for delivery of goods and services to other criminals. For example, one organization may specialize in developing the malware that is installed on consumer devices and sell it on the web. Another organization will be responsible for distributing and installing the malware on consumer PCs or mobile devices. A third group that runs a forum might also purchase stolen consumer credentials and resell them in the DarkNet.”
For years, copyright owners have focused on advertising, which remains the primary revenue source for many of the most popular sites dedicated to providing unlicensed “free” content. But as the advertising community continues to collaborate on fixing the flaws in digital advertising ecosystem, which cause financial loss and harm to brand value, this will likely motivate cybercriminals to more aggressively dangle the lure of “free” content to draw consumers into malware traps.
On the other hand, a likely silver lining in this growing relationship between mass copyright infringement and serious harm to consumers is that copyright holders and Internet companies should find common cause in seeking both voluntary and law-enforcement remedies to the problem. After all, the spread of malware harms the entire Internet economy, and it as much in Google’s interests as it is in the creative industries’ interests to seek solutions.