Tag: malware

DCA Releases New Report on Piracy Sites and Malware

Apropos my recent response to the EFF’s standard policy of shrugging at online piracy, I want to highlight one paragraph from the post to which I replied. Katherine Trendacosta wrote:

From the fever-pitch moral panic of the early 2000s, discussions about “piracy” disappeared from pop culture for about a decade. It’s come back, both from the side explaining why and the side that wants everyone punished.

Aside from the statement being inaccurate—discussions about piracy have persisted (often quite heatedly) every year since the Napster days—I cite the quote here because its sarcasm derives from that common fallacy which asserts that Piracy is a victimless crime. No it is not.

If one wants to cling to the rationale that because certain artists are wealthy, piracy is therefore harmless to creators, fine. Whatever. But the fact that EFF and other “digital rights” groups so consistently echo the alleged “harmlessness” of piracy suggests that they’re not terribly concerned about the broader security threats posed by this $2billion/year, global, criminal enterprise.

In a new report published yesterday, Digital Citizens Alliance tells us that the 500 pirate sites studied in its latest research—there are thousands of pirate sites—earn at least $121 million per year just by hosting “malvertising” (i.e., ads designed to deliver malware). Entitled, Unholy Triangle, the report was produced in collaboration with brand safety organization White Bullet and cyber security firm Unit 221B. It describes a symbiotic relationship between malvertisers and pirate sites—two sides of the triangle—and the various ways these parties profit by endangering visitors to pirate platforms—the third side of the triangle.

Highlights from the Report

Researchers found that among the sites studied, 8 in 10 were littered with ads specifically created to entice clicks that will instantly download malware to a device or network. One out of every six visits to pirate sites, the report says, will encounter an attempted malware attack. The most popular type of bug is ransomware, but the researchers also found trojan horses and other malware used to obtain personal or financial information and/or to take control of devices. Of that $121 million annual revenue the pirate sites acquire from serving malvertising, the report states that more than half ($68.3 million) came from U.S. visits.

Among the most compelling, albeit ironic, details revealed by the report is that the majority of ads used to trigger responses are based on fear—specifically, fear of malware! It seems that because many pirate site visitors know they are exploring illegal and sketchy platforms, they are more susceptible to pop-up and pop-under ads warning them that their devices may be infected, or that they should make changes to their devices to ensure their security or anonymity.

A visitor clicks that ad offering to protect her device, immediately downloads malware, and within minutes,[1] her files are locked up, and she will soon receive a ransom demand promising to release those files for $800 to $1,000—in crypto, of course. Even people who pay these ransom demands report that, at best, they get about 65% of their data back, and there is no reason to assume that the hacker(s), who this report indicates are mostly located in Russia, will restore any data once they’re paid.

Ad Intermediaries Facilitate Sketchy Ads

DCA notes the success of initiatives like the Trustworthy Accountability Group (TAG), which launched in 2015 to extricate the legitimate advertising industry from the piracy business. But, the report describes certain advertising intermediaries that seem to straddle the legal and illegal trade. For instance, researchers focused on intermediary RichAds, which the report describes as follows:

RichAds is an advertising company that touts its ability to capture new quality leads from premium sources through its productive ads. The company is listed as being based in Cyprus, with many of its employees listing Belarusian universities as their alma maters on LinkedIn. It promises to deliver the best traffic and claims, on its LinkedIn page, that “We block any bot or other fraudulent traffic.”

Researchers sent the ad shown here for approval and received a “no problem” message from RichAds. This was hardly surprising because, looking a bit further, it appears that this intermediary is not just turning a blind eye to malware campaigns but is promoting its services to facilitate malvertising on pirate sites. “In the case study [used to promote itself], RichAds highlights how the customer relied upon the company to generate and place ads that ‘warned’ users that a virus was detected on their devices and they needed to update their antivirus software,” the report states.

National Security Implications

With operators in countries like Russia and Belarus—and with more than half the malvertising revenue (measured in this report) being generated by American visits to pirate sites—questions about national security come to mind. No, I am not saying that some teenager in Indiana illegally streams Stranger Things, and the power grid shuts down—and neither is DCA. But with more telecommuting and connections between critical enterprise databases to personal networks, the vulnerabilities to the former have increased, and enterprises are big fish for ransomware hackers.

Whether there is any crossover between the private malvertising industry and state-directed hacking aimed at the U.S. is a matter of speculation, but as the DCA report puts it:

Russia, China, Iran, and North Korea make up half of [all ransomware attacks]. As their primary target is the United States, it’s a safe assumption that the motivations go beyond financial to geo-political with national security implications. Those concerns have some states reconsidering the protocols for dealing with an attack on government operations.

Hardly Victimless

Clearly, even if one does not give a RAT’s butt about creators’ works being illegally distributed, piracy is not a victimless crime. On the contrary, a substantial and growing revenue stream for the pirate site operators is, in fact, a trade in victims. Whether it’s slaving personal computers, identity theft, or delivering ransomware to a pharmaceutical company, malware is big business, and piracy sites continue to be an excellent super-spreader.

After about ten years of reading DCA’s reports, this recent one comes closest to at least implying that media piracy can be a vector for malware attacks on something larger than personal computers. Assuming that’s not an exaggeration, the “digital rights” groups may need to drop the false narrative that mitigating piracy comes at the cost of online “freedom.” Site blocking, technical measures, and other means to interdict the piracy trade become very different conversations, if we are indeed talking about critical supply chains and not just “Hollywood.”

[1] The report cites Paul Watters, who “found it typically takes just 42 seconds for an “advanced persistent threat” such as malware to infect a Windows device and 78 seconds to infect an Android device.”

Malware Suggests Search Plays a Major Role in Piracy

Image by stefanocar75

Copyright holders have long insisted that search results play a substantial role in driving users toward pirate sites.  Google and piracy advocates have generally countered that search does not drive much traffic to illegal sites because the people who consistently use infringing sites know what they’re doing and will go directly to the content they’re seeking.  This is a reasonable assumption to make about the population of committed infringers out there, but one fact that refutes this premise is the extraordinary volume of malware (a 1-in-3 chance) on infringing sites.  Because malware isn’t there to catch the experienced visitor—it’s there to catch the unsuspecting individuals who may not even realize they’re using illegal sites when they first visit.

For those who don’t know how it works, it goes like this:  A user is interested in watching Moonlight.  If he types “Moonlight” into Google Search, the second-tier results will be links that read “Watch Moonlight Online for Free,” all of which are directed to infringing sites.  If the user actually types “Watch Moonlight” into the search field, then the first-tier results will be infringing links. And quite often, Google will automatically suggest words that prompt the user toward an infringing site. For instance, if the user logically adds the word “movie” (because moonlight is a word and not just a title), then Google will complete the thought with “online,” which then yields top results with links to “watch moonlight movie online” via an infringing site.

Google and the piracy apologists are almost certainly correct that many avid visitors to infringing sites are fairly sophisticated users; they have VPNs, ad-blockers, security software, etc. to avoid detection and malware.  But if these were the only kind of visitors landing on these sites, then the underground market in malware-based trade would not be nearly so robust as it is.

As described in this 2015 post about a report called Digital Bait, commissioned by Digital Citizens Alliance and conducted by RiskIQ, a sophisticated “crimeware economy” exists on the Darknet, where criminals buy and sell goods and services used exclusively for preying on users. To use a blunt example, if a teenage girl visits an infringing site, she has up to a 30% chance of contracting malware. That malware may be a Remote Access Trojan (RAT), which gives fairly unsophisticated hackers control of her computer, including her webcam.  Then, her IP address may be sold in this black market to people who want to spy on teenage girls in their bedrooms. In many cases, a user doesn’t even have to consume the infringing content in order to infect a device. The promise of “free content” may be draw the user into a dead-end malware trap.

If all traffic to pirate sites truly comprised only the knowledgeable users, then the criminals would not have a financial incentive to deploy so much malware on sites that infringe, or promise to infringe, copyrighted content.  The very existence of prevalent malware is an indication that a substantial number of users who have no idea what they’re doing are visiting these sites, which logically leads to the conclusion that search must play a significant role in driving users toward these sites and into the hands of criminals.

Notice that, in this context, we don’t even need to address the subject of copyright infringement, let alone get bogged down in all the tedious rhetoric about free speech.  If Google’s top search results are indeed putting users in harm’s way, this is a consumer protection issue for the Fair Trade Administration and/or State Attorneys General.  And, in fact, Digital Citizens Alliance, after releasing its 2016 report Enabling Malware, began presenting its findings to the AGs.

Yes, it is likely true that once a user—even a fairly unsophisticated teenager—is aware of sites where free content is available, he will probably revisit those sites directly without going through a search engine. But even this kind of anecdotal assumption does not mean the role of search is insignificant, not least because the illegal nature of pirate sites means that they have a tendency to disappear and reappear as authorities in various regions shut them down.  A 2013 study indicated that 19% of the traffic to infringing sites could be directly attributable to search, and if that number were wrong by half, it would still represent billions of visits per year.

Consumers have a right to know the nature of their vulnerabilities when using any product or service, and they have a right to demand that U.S. companies take every reasonable step to mitigate exposure to risk.  To date, Google has refused to take even the obvious step of demoting known infringing sites in their search results, let alone to alter the way in which auto-complete may drive consumers toward these sites.

Google does now feature the legal channels for consuming media, including their own services like YouTube and Google Play, which is a good step but not likely sufficient to protect consumers as hackers become more sophisticated and more ambitious.  In fact, one likely consequence of advertisers becoming more effective at keeping their brands off pirate sites is that the criminals will depend more on the “crimeware economy” to make money through infringing content as a means to deliver malware.

Google is getting a lot of pushback lately—from the EU’s anti-trust decision, from the advertisers, and from the Canadian Supreme Court this week in the Equustek case. (More on that shortly.)  I would not be surprised if the State AGs and other consumer-protection agencies begin to take a more active interest in the relationship between search, piracy, and malware.

DCA’s New Report on Enabling Malware

Enabling Malware

Andrew Orlowski reports at The Register that last week Google quietly suspended its legal action to “muzzle” an investigation by Mississippi Attorney General Hood into whether or not the search giant was abiding by the terms of its 2012, non-prosecutorial settlement with the government over illegal online sales of prescription drugs.  Any explanation of Google’s change in strategy or the future of that investigation are subjects for another day.  But the fact that AG Hood was ultimately not stymied—either by litigation or by a brazen attempt in the State House of Representatives to legislatively tie his hands—is probably good news for American consumers because State Attorneys General “often act as the de facto consumer protection arm in their respective states,” notes a new report published yesterday by Digital Citizens Alliance.

Following up on its December report, which presented a look into the scope of the malware hazard for consumers who visit content-theft sites, DCA and RiskIQ have again collaborated to begin looking at the hosting services that either inadvertently or knowingly support illegal sites, which then endanger consumers.  The hosting services in this regard are particularly relevant because they are not shadowy operators based in hard-to-reach geographies but are legal corporations with offices in the United States.  As such, the news that Google will now look to “cooperate with AG Hood” rather than remain on the offensive comes at a good moment for consumers.  This is because DCA notes that state AGs will be the first authorities who may choose to investigate US-operating hosting services to determine their role in fostering the dissemination of malware.

The December report called Digital Bait revealed the likelihood (about 30% in some cases) that users of content theft sites would infect their devices with malware, and the report also identified the various types of malware being deployed in order to steal information and/or assets from consumers.  Digital Bait also presented a glimpse into the dark web-based economy where criminals engage in transactions like selling the IP addresses of a girl’s computer or even a cybercriminal paying content-theft site owners to deliberately host malware on their sites.  The report contains some eye-opening statistics like the one from the DOJ, which states that 16.2 million American consumers have been victims of identity theft, incurring financial losses of more than $24.7 billion.

The report released yesterday, Enabling Malware, looks at two hosting companies, each of which responded very differently when DCA contacted them with their findings.  The first was CloudFlare, which is “known for its willingness to support, or at least overlook, illicit activities,” the report states.  CloudFlare is a hosting service that is specifically designed to mask the identity of site owners and of the true hosting site of any content, whether the content is legal or not.  The site’s blog reads, “Signing up for CloudFlare is like taking your number out of the phone book, and putting in CloudFlare’s number under your name.”

This type of service can be (and is) used by journalists or bloggers operating in locations with authoritarian governments or other hazards to free speech and reportage.  But it is also a natural hosting choice for content-theft site owners, thus earning the service the nickname “CrimeFlare” among cyber-security experts. DCA contacted CloudFlare with regard to its hosting sites like Putlocker and Animex, both of which were identified in the Digital Bait report as delivering malware to users.  CloudFlare did not respond until a day or two before the release of this new report and wrote the following:

“CloudFlare’s service protects and accelerates websites and applications. Because CloudFlare is not a host, we cannot control or remove customer content from the Internet. CloudFlare leaves the removal of online content to law enforcement agencies and complies with any legal requests made by the authorities. If we believe that one of our customers’ websites is distributing malware, CloudFlare will post an interstitial page that warns site visitors and asks them if they would like to proceed despite the warning. This practice follows established industry norms.”

In other words, CloudFlare is not going to do anything unless authorities make them.

The other hosting service DCA and RiskIQ looked at was HawkHost, whose support includes watchfreemoviesonline.top, which was found to have a 32% malware exposure rate in the research conducted for the Digital Bait report. When DCA contacted HawkHost, the company’s response was very different from CloudFlare’s, stating that the sites identified by DCA would be taken down because they “clearly violate our TOS/AUP,” according to CTO Cody Robertson. Additionally, executives at HawkHost have agreed to meet with DCA to discuss findings linking malware with content theft sites and to look for ways to better protect consumers.  DCA commends HawkHost, stating that they find the company’s response “an encouraging sign.”

DCA and RiskIQ will continue to study the link between content-theft sites and malware, as well as the legal hosting services that operate in the United States, which may be supporting malware-infested sites. These findings will be presented to State Attorneys General, who then have the authority to investigate the extent to which a particular hosting service may or may not be willfully turning a blind eye to illegal enterprise that is directly harming American consumers.  So, as mentioned, beyond any implications regarding the Google investigation itself, last week’s affirmation of AG Hood’s authority in that case is likely a good sign for protecting consumers in general from the chronic I-Didn’t-Know-Defense too-often employed by various OSPs.