Tag: digital citizens alliance

Cybercrime and Terrorism Sponsored by Your Candidate

If you were watching TV and a show came on called How to Hack Computers and Commit Credit Card Fraud with a lead commercial from Bank of America, you might think there’s something amiss.  Like, where does the network get off airing a show specifically teaching people how to commit crimes?  And did BofA really mean to be the sponsor?  If not, they must be pretty pissed off at the network.  And if they did mean to be the sponsor, we consumers should be pretty pissed off at the network and the sponsor, right? That’s how the world of media and advertising works. Except on YouTube.

Digital Citizens Alliance released a new report last month covering a familiar theme with an election-year twist.  As the organization has reported in the past, advertisers who spend money to place ads on YouTube are essentially cheated out of some portion of their media buy when their ads appear in conjunction with videos selling or promoting criminal or terrorist activity.  I and others have cited examples of mainstream American brands unwittingly sponsoring ISIS recruiting videos or clips teaching people how to deliver malware to steal identities and data.  But this new report by DCA called Fear, Loathing, and Jihad calls attention to the fact that all of the current presidential campaigns are in one way or another sponsoring these criminal or terrorist-produced videos.  From the report:

“How does the Kasich campaign, whose credibility is based on fiscal aptitude and efficiency, feel about their ads showing up next to a video by those actively committing financial fraud?”

“Support from young voters is the main reason why Senator Bernie Sanders is able to challenge Hillary Clinton. Why would he want a campaign ad showing up next to a video demonstrating how to “slave” the computer of a young male victim?”   

Political ads are a variation on the larger theme of poor-quality placement that affects all advertisers in the digital market, but DCA is not wrong to point out the uniqueness of these dichotomous pairings when we see American presidential candidates effectively hosting videos calling for jihad or selling fake IDs and other contraband. Moreover, in several cases the candidate’s ad buy may actually be putting money into the pockets of the criminal video makers. So, it’s not farfetched to say that you can donate twenty bucks to your candidate and that money can end up in the pocket of some homegrown, would-be jihadist by way of Google AdSense and the YouTube Partner program. Unfortunately, it seems that Google is about as diligent in vetting YouTube Partners to participate in ad revenue sharing as it is in mitigating copyright infringement on its platforms.

According to Google’s own Terms and Conditions, a prospective Partner must upload “advertiser friendly content”, and here’s what the company says might be considered unfriendly:

Content includes, but is not limited to:

•Sexually suggestive content, including partial nudity and sexual humor

•Violence, including display of serious injury and events related to violent extremism

•Inappropriate language, including harassment, profanity and vulgar language

•Promotion of drugs and regulated substances, including selling, use and abuse of such items

•Controversial or sensitive subjects and events, including subjects related to war, political conflicts, natural disasters and tragedies, even if graphic imagery is not shown

Now, my own read of those conditions would want to to see them applied with considerable latitude given that plenty of high-quality satire, news reporting, and entertainment is likely to implicate any number of those descriptions.  But if Google is not able to, for instance, separate the combat-related humor in videos made by the veterans group Ranger Up and an ISIL recruiting video—or a video made by some jerk showing people how to invade a girl’s privacy through her computer—then maybe those conditions are really not conditions so much as they’re just a bunch of words Google universally ignores.

DCA states that when their reports and the news media have brought attention in the past to this same issue, YouTube has made an effort to remove ads from many offending videos, but the report also implies that this type of action is a band-aid in response to momentary pressure.  Just like infringing material is restored as fast as it is taken down, ads continue to be linked to videos that no brand—let alone any political candidate—would choose to sponsor.

Although advertisers do have a measure of control in setting parameters to properly target their ads, the automated nature of the system is nothing like the control advertisers have with traditional media buys.  As the report states, “Let’s be clear: Google is not giving advertisers the opportunity to veto undesirable videos, but to opt-in and minimize the possibilities of ads showing up in undesirable places.” As we see in the context of rights holders and the DMCA, Google’s own financial incentive is grounds to play ignorant and incapable and to shift the burden to everyone else.  Again, to quote the report, “Right now, the best thing you [campaign operative] can do is report the videos to YouTube, which may pull these videos down. Google has deputized all of us to do the work it can’t…or won’t.”

Speaking of incentive, why the leadership of Google does not display the basic human decency or corporate responsibility to delete these videos as clear abuses of their service is inexplicable beyond basic greed.  Because let’s be grown-ups:  free speech doesn’t even enter this conversation. Speech does not protect criminal activity, incitement to violence, or training in the commission of crimes; and it sure as hell does not protect the video productions of violent extremists whose agenda fundamentally betrays the natural rights philosophy upon which free speech is predicated. And more prosaically, any private company is within its right to provide or not provide content based on its own internal judgments without violating free speech.  But there’s the rub.

It seems that YouTube is in sort of a logical pickle, trapped between its safe harbor status from liabilities like copyright infringement and what could become a growing demand to guarantee quality impressions to the advertisers who pay all of the company’s bills.  In order to avoid liability for the millions of user-caused copyright infringements on the platform, YouTube has to maintain that it is blind to the content on its servers prior to a specific notification. Meanwhile, the advertisers (and frankly the public) would be better served if YouTube were to make a serious effort to remove videos that are clearly dedicated to promoting or abetting the commission of crimes and acts of terrorism.  But the more YouTube exerts this kind of editorial control, the thinner their veil of ignorance becomes, which can then expose the company to liability for copyright infringement and other abuses of its platform.  Meanwhile, as the monopolistic YouTube hovers in this limbo raking in millions, the advertisers, rights holders, and public are not well served.

The DCA report states that this year the presidential campaigns will spend $1 billion in digital advertising, with Google, Facebook, and Twitter receiving most of that revenue.  For perspective, the report explains that if Google takes the same percentage of that billion as it made from all digital US advertising in 2015, it will earn $387 million from campaign spending alone. Meanwhile, the company that claims to provide the tools of political transparency to the public is anything but transparent on this matter according to the report.  “We have no idea how much Google and YouTube make from videos marketing illegal or illicit activities,” the report states. “Google has fought back against elected officials and regulators who’ve asked questions about the money. So far, the company has been successful at keeping its numbers a secret.” Maybe the point at which political campaign dollars are being split 45/55 between Google and terrorists is the moment when federal regulators decide to get serious.

Piracy is increasingly hazardous, says Digital Citizens.

I imagine most people, whether they’re users of pirate sites or not, haven’t paid much attention to the growing number of safety warnings associating content theft with identity theft and related crimes against consumers.  For one thing, the whole idea of media piracy itself has, for too long, enjoyed undeserved credibility as a so-called victimless crime performing a social good broadly described as “sharing.” Or it’s been framed in economic terms by various pundits as a natural market reaction to outdated distribution and pricing models. And more than a few notable Internet activist organizations have either explicitly or implicitly evangelized the notion that piracy is fundamentally free speech, which enables said activists to label various efforts to mitigate piracy as “chilling speech.”

But over the last year or so, several studies have been conducted—I believe I have cited most of them—which demonstrate that piracy is one thing for sure:   dangerous.   Anyone with a computer, a bank account, a business, children, etc. should probably set aside both their preconceived attitudes and their ambivalence on the subject of piracy and read this new report commissioned by Digital Citizens Alliance (DCA) and conducted by RiskIQ.  Here’s just one hypothetical scenario that can happen to anybody:

You don’t visit pirate sites yourself, but your kid might without your knowledge, or even without necessarily knowing what he’s doing. Maybe he was just looking for mods for Minecraft or innocently trying to watch some anime cartoon, and you’ve never worried much whether he’s visiting legal or illegal sites.  But simply by stumbling onto a pirate site, this new DCA report indicates that your kid is at least 28 times more likely to infect the family computer with malware that can be used to drain your bank account, slave your computer for ad fraud (as described in my recent post citing the IAB report), or seize control of your computer to hold for ransom with a 72 hour window to pay several thousand dollars or kiss your data goodbye.

The DCA/RiskIQ report is aptly named Digital Bait in that it studies a growing sophistication among cybercriminals in the use of content theft sites—and presumably even misleading “free content” links—to hook users by downloading truly insidious malware to their devices. Businesses and entrepreneurs are particularly vulnerable to Denial of Services attacks in which the hacker takes down a website and demands a considerable ransom in order to restore the site to public visibility (y’know in the name of free speech and all).

RiskIQ estimates, just from the sites within the scope of this study, that 12 million U.S. users per month are being exposed to malware attacks, and DCA says this is merely the tip of the iceberg.  According to the U.S. Department of Justice 16.2 million consumers have been victims of identity theft representing financial losses totaling more than $24.7 billion. And the problem is currently growing in both scope and sophistication in the cybercriminals’ ability to use malware to scam their victims.

For instance, one of the more disturbing developments in malware is that a user no longer has to click on an infected link to contract the virus. Called “drive-by-downloads,” the Digital Bait report estimates that 45% of the malware in the scope of its study can be delivered invisibly without requiring the user to click on anything.  The report also indicates that more than half of the malware being delivered are Trojans, and many of these are Remote Access Trojans (RATs), which I discussed in this post after DCA published a report on this relatively unsophisticated form of hacking. Individuals can buy any of several RAT software kits for a few hundred dollars and start controlling a victim’s computer with an easy-to-use graphic interface that requires little-to-no coding skill.  RATs can be used to harvest financial information or to spy on victims, including turning on webcams and microphones. Personal data can then be used for ransom; or IP addresses,  particularly of young girls, may be sold in a black market exchange.

Not surprisingly, the report identifies that all of this growing malware activity is supported by a mature, underground “crimeware economy” operating on the Dark Web.  To quote the report:

“The DarkNet allows individual hacking groups to specialize in specific categories and to earn money for delivery of goods and services to other criminals. For example, one organization may specialize in developing the malware that is installed on consumer devices and sell it on the web. Another organization will be responsible for distributing and installing the malware on consumer PCs or mobile devices. A third group that runs a forum might also purchase stolen consumer credentials and resell them in the DarkNet.”

For years, copyright owners have focused on advertising, which remains the primary revenue source for many of the most popular sites dedicated to providing unlicensed “free” content.  But as the advertising community continues to collaborate on fixing the flaws in digital advertising ecosystem, which cause financial loss and harm to brand value, this  will likely motivate cybercriminals to more aggressively dangle the lure of “free” content to draw consumers into malware traps.

On the other hand, a likely silver lining in this growing relationship between mass copyright infringement and serious harm to consumers is that copyright holders and Internet companies should find common cause in seeking both voluntary and law-enforcement remedies to the problem.  After all, the spread of malware harms the entire Internet economy, and it as much in Google’s interests as it is in the creative industries’ interests to seek solutions.

2_Infographic JPEG

We Have a RAT Problem Says DCA

“We the consumers are outgunned and outmanned. We don’t have the tools needed to protect ourselves.  While you are still better off having a 2013 anti-virus program, it won’t protect you against zero-day malware anymore than the polio vaccine will protect you from Ebola.”

That quote is from the introduction of a new report published last week by the Digital Citizens Alliance entitled Selling “Slaving.”  It focuses on an especially pernicious form of malware called RATs (Remote Access Trojans); the users of these applications; their victims; and the enablers — both corporate and criminal — that help spread and even monetize this growing trend in what sounds a bit like hobbyist hacking.  I have never explicitly recommended reading a whole report of this nature before — often the bulk of a study contains a lot of data supporting the main findings — but I do recommend reading all of this one.  Not only does it discuss a cybersecurity threat of concern to any computer or device user anywhere, but the report reads much more like a very long article that provides insight into the nature, motives, methods, and victims of this class of hackers called ratters.  Their brands of mischief include a wide range — from pranking people for sophomoric amusement; to identity and data theft; to slaving built-in webcams on the computers of women and girls to record Peeping Tom photos and videos that may or may not be used for the purposes of extortion and/or sold through black-market channels trading in child pornography.

The DCA report indicates that ratting is on the rise — and going mobile — but readers should take particular note of the lack of sophistication required relative to the amount of harm that can be caused to victims who fall prey to RATs.  In fact, many ratters can hardly be called hackers at all because they don’t hack into computers by means of any remarkable coding skills. Instead, the unsuspecting victim inadvertently downloads malware to her operating system, and a ratter is then able to control that computer (slave it) using one of a handful of cheap, easy-to-acquire, easy-to-operate software applications. An attack can be targeted (i.e. aimed at a specific victim like someone the ratter knows and has a motive to assault), but it seems that most victims are random people downloading files they assume are innocuous but that contain RAT malware.

Probably the most archetypal story of a malicious and targeted RAT assault — one the DCA report cites in some detail — is that of Cassidy Wolf, the California teenager, who was voted Miss Teen USA in 2013.  In the months leading up to her pageant victory, Wolf was the victim of a ratter, who turned out to be a teenage boy at her high school named Jared Abrahams.  Abrahams had taken control of Wolf’s computer as well as her entire social media presence, and she was completely unaware that he had been slaving her webcam to capture naked images of her until the day she received an anonymous email threatening to leak these images and other personal information on the Web, saying that he would ruin her career plans by turning her into an “internet porn star.”  His demand in trade for his silence was that she provide him with a “sexually explicit” video; and Wolf has been rightly praised for her courage in standing up to her assailant, even after he made good on his threat to release compromising images. She contacted the FBI, went public with her story, and used her pageant celebrity status to raise awareness of the problem. Her decision helped lead to the identification and conviction of Abrahams, and by the time authorities caught up with him, they discovered he had been “slaving” the devices of approximately 150 young women and female minors around the world.  He served 18 months and is currently under house arrest.

Abrahams was a relatively sophisticated hacker — and he clearly chose to target Cassidy Wolf — but many ratters are more casual, random, and technologically inept than Abrahams, so they turn to the same resource many of us use for How-To advice — YouTube.  The fledgling ratter (sometimes called a script kiddie) need not find some remote corner of the dark web in order to learn how to spread and use RAT malware because there are dozens — if not hundreds — of tutorial videos on YouTube right now that provide complete, step-by-step guides to ratting along with helpful comments and links by fellow ratters.  (See, the Web really is about community!) In addition to these tutorials, we find ratter “fan vids,” which are not so much tutorial in nature as  vicarious viewing, so you can watch a ratter harass or spy on a victim while narrating his  observations like “Dude, watch this!” and “Oh, fuck, did you see that?  This shit is sick.”

RATs on YT
Just one of many ratter videos on YouTube. All the visible titles suggest tutorials in how to be a ratter.

Collectively, both the tutorial and the ratter “fan videos” have tens of thousands of views, and the DCA report indicates that about 38 percent of these videos are ad-supported, which means that both Google and the ratter are earning some revenue from the ad buys of major brand advertisers.  This means Google has a problem that reads something like this:  “This illegal invasion of an underage girl’s bedroom brought to you by Procter & Gamble.”  And as much as I criticize Google for profiting from the exploitative aspects of digital life, I would not be surprised if the company seeks to mitigate its role as an enabler of ratting just as it has with a zero-tolerance approach to keeping child pornography out of the Google-verse.  The DCA recommends Google assign a “human team” to address the role that both search and the YouTube platform are playing in this regard, but it cannot be overlooked that the Internet industry’s larger policy agenda, advocating a “hands off” approach to all things Web, provides cover for bad actors in a variety of ways.

And that brings us to one of the primary channels through which RATs are spread (and you’ll be terribly surprised), which is illegal file-sharing sites.  Because Trojan Horse malware is delivered by sneaking the virus into an OS while the user downloads a file he/she assumes is safe, it stands to reason that the black-market world of illegal media and software provides an ideal hunting ground for ratters to set their traps.  In fact, some of those tutorials on YouTube demonstrate how a ratter can download a file from, say, kickasstorrents, modify the file with his RAT, then re-upload the newly infected file awaiting random downloaders because, y’know, “sharing.”

By these methods, ratters trap random prey to be fed upon at leisure and prioritized according to the intent of the ratter.  This may include mining victims for credit card or other sensitive information;  or the ratter may slave the computer to mine bitcoins or to spread RAT infiltration to a larger system, like the victim’s place of business.  But in many cases, it seems, the goal of many a low-skilled ratter (i.e. teenage boys and young men) is to gain access to the computers of women and girls who have webcams.  Thus, as ratters manage to trap these prized victims (often with the enthusiasm of trophy hunters), they sell the IP addresses to other ratters — like commodities in their own little RAT exchange — where access to a boy’s computer sells for about $1 while access to a girl’s computer sells for about $5, according to the DCA.

Now, I have at least implied in the past that piracy sites should be boycotted by anyone who considers herself — or himself — a defender of feminist principles.  In addition to the fact that the site owners directly profit from advertising links to “services” that are tied to varying degrees of exploitation of women (e.g. MEET ASIAN GIRLS NOW!!), this DCA study of RATs demonstrates that these sites also unintentionally provide fertile ground for spreading malware that is consistently used to exploit girls, which is apparently valued at a 5:1 ratio over the exploitation of boys. I’m not sure what else needs to be said about that.

Finally, the DCA report does contain some indication as to how Internet companies, users, and law enforcement might actually work to address the challenge of this growing risk of personal invasion.  But in order to get there, the public will first have to accept that Internet companies and law enforcement have a role to play, that our RAT infestation is just more evidence that a free-for-all policy on the Web is a fundamental failure.