Tag: malware

Piracy is increasingly hazardous, says Digital Citizens.

I imagine most people, whether they’re users of pirate sites or not, haven’t paid much attention to the growing number of safety warnings associating content theft with identity theft and related crimes against consumers.  For one thing, the whole idea of media piracy itself has, for too long, enjoyed undeserved credibility as a so-called victimless crime performing a social good broadly described as “sharing.” Or it’s been framed in economic terms by various pundits as a natural market reaction to outdated distribution and pricing models. And more than a few notable Internet activist organizations have either explicitly or implicitly evangelized the notion that piracy is fundamentally free speech, which enables said activists to label various efforts to mitigate piracy as “chilling speech.”

But over the last year or so, several studies have been conducted—I believe I have cited most of them—which demonstrate that piracy is one thing for sure:   dangerous.   Anyone with a computer, a bank account, a business, children, etc. should probably set aside both their preconceived attitudes and their ambivalence on the subject of piracy and read this new report commissioned by Digital Citizens Alliance (DCA) and conducted by RiskIQ.  Here’s just one hypothetical scenario that can happen to anybody:

You don’t visit pirate sites yourself, but your kid might without your knowledge, or even without necessarily knowing what he’s doing. Maybe he was just looking for mods for Minecraft or innocently trying to watch some anime cartoon, and you’ve never worried much whether he’s visiting legal or illegal sites.  But simply by stumbling onto a pirate site, this new DCA report indicates that your kid is at least 28 times more likely to infect the family computer with malware that can be used to drain your bank account, slave your computer for ad fraud (as described in my recent post citing the IAB report), or seize control of your computer to hold for ransom with a 72 hour window to pay several thousand dollars or kiss your data goodbye.

The DCA/RiskIQ report is aptly named Digital Bait in that it studies a growing sophistication among cybercriminals in the use of content theft sites—and presumably even misleading “free content” links—to hook users by downloading truly insidious malware to their devices. Businesses and entrepreneurs are particularly vulnerable to Denial of Services attacks in which the hacker takes down a website and demands a considerable ransom in order to restore the site to public visibility (y’know in the name of free speech and all).

RiskIQ estimates, just from the sites within the scope of this study, that 12 million U.S. users per month are being exposed to malware attacks, and DCA says this is merely the tip of the iceberg.  According to the U.S. Department of Justice 16.2 million consumers have been victims of identity theft representing financial losses totaling more than $24.7 billion. And the problem is currently growing in both scope and sophistication in the cybercriminals’ ability to use malware to scam their victims.

For instance, one of the more disturbing developments in malware is that a user no longer has to click on an infected link to contract the virus. Called “drive-by-downloads,” the Digital Bait report estimates that 45% of the malware in the scope of its study can be delivered invisibly without requiring the user to click on anything.  The report also indicates that more than half of the malware being delivered are Trojans, and many of these are Remote Access Trojans (RATs), which I discussed in this post after DCA published a report on this relatively unsophisticated form of hacking. Individuals can buy any of several RAT software kits for a few hundred dollars and start controlling a victim’s computer with an easy-to-use graphic interface that requires little-to-no coding skill.  RATs can be used to harvest financial information or to spy on victims, including turning on webcams and microphones. Personal data can then be used for ransom; or IP addresses,  particularly of young girls, may be sold in a black market exchange.

Not surprisingly, the report identifies that all of this growing malware activity is supported by a mature, underground “crimeware economy” operating on the Dark Web.  To quote the report:

“The DarkNet allows individual hacking groups to specialize in specific categories and to earn money for delivery of goods and services to other criminals. For example, one organization may specialize in developing the malware that is installed on consumer devices and sell it on the web. Another organization will be responsible for distributing and installing the malware on consumer PCs or mobile devices. A third group that runs a forum might also purchase stolen consumer credentials and resell them in the DarkNet.”

For years, copyright owners have focused on advertising, which remains the primary revenue source for many of the most popular sites dedicated to providing unlicensed “free” content.  But as the advertising community continues to collaborate on fixing the flaws in digital advertising ecosystem, which cause financial loss and harm to brand value, this  will likely motivate cybercriminals to more aggressively dangle the lure of “free” content to draw consumers into malware traps.

On the other hand, a likely silver lining in this growing relationship between mass copyright infringement and serious harm to consumers is that copyright holders and Internet companies should find common cause in seeking both voluntary and law-enforcement remedies to the problem.  After all, the spread of malware harms the entire Internet economy, and it as much in Google’s interests as it is in the creative industries’ interests to seek solutions.

2_Infographic JPEG

We Have a RAT Problem Says DCA

“We the consumers are outgunned and outmanned. We don’t have the tools needed to protect ourselves.  While you are still better off having a 2013 anti-virus program, it won’t protect you against zero-day malware anymore than the polio vaccine will protect you from Ebola.”

That quote is from the introduction of a new report published last week by the Digital Citizens Alliance entitled Selling “Slaving.”  It focuses on an especially pernicious form of malware called RATs (Remote Access Trojans); the users of these applications; their victims; and the enablers — both corporate and criminal — that help spread and even monetize this growing trend in what sounds a bit like hobbyist hacking.  I have never explicitly recommended reading a whole report of this nature before — often the bulk of a study contains a lot of data supporting the main findings — but I do recommend reading all of this one.  Not only does it discuss a cybersecurity threat of concern to any computer or device user anywhere, but the report reads much more like a very long article that provides insight into the nature, motives, methods, and victims of this class of hackers called ratters.  Their brands of mischief include a wide range — from pranking people for sophomoric amusement; to identity and data theft; to slaving built-in webcams on the computers of women and girls to record Peeping Tom photos and videos that may or may not be used for the purposes of extortion and/or sold through black-market channels trading in child pornography.

The DCA report indicates that ratting is on the rise — and going mobile — but readers should take particular note of the lack of sophistication required relative to the amount of harm that can be caused to victims who fall prey to RATs.  In fact, many ratters can hardly be called hackers at all because they don’t hack into computers by means of any remarkable coding skills. Instead, the unsuspecting victim inadvertently downloads malware to her operating system, and a ratter is then able to control that computer (slave it) using one of a handful of cheap, easy-to-acquire, easy-to-operate software applications. An attack can be targeted (i.e. aimed at a specific victim like someone the ratter knows and has a motive to assault), but it seems that most victims are random people downloading files they assume are innocuous but that contain RAT malware.

Probably the most archetypal story of a malicious and targeted RAT assault — one the DCA report cites in some detail — is that of Cassidy Wolf, the California teenager, who was voted Miss Teen USA in 2013.  In the months leading up to her pageant victory, Wolf was the victim of a ratter, who turned out to be a teenage boy at her high school named Jared Abrahams.  Abrahams had taken control of Wolf’s computer as well as her entire social media presence, and she was completely unaware that he had been slaving her webcam to capture naked images of her until the day she received an anonymous email threatening to leak these images and other personal information on the Web, saying that he would ruin her career plans by turning her into an “internet porn star.”  His demand in trade for his silence was that she provide him with a “sexually explicit” video; and Wolf has been rightly praised for her courage in standing up to her assailant, even after he made good on his threat to release compromising images. She contacted the FBI, went public with her story, and used her pageant celebrity status to raise awareness of the problem. Her decision helped lead to the identification and conviction of Abrahams, and by the time authorities caught up with him, they discovered he had been “slaving” the devices of approximately 150 young women and female minors around the world.  He served 18 months and is currently under house arrest.

Abrahams was a relatively sophisticated hacker — and he clearly chose to target Cassidy Wolf — but many ratters are more casual, random, and technologically inept than Abrahams, so they turn to the same resource many of us use for How-To advice — YouTube.  The fledgling ratter (sometimes called a script kiddie) need not find some remote corner of the dark web in order to learn how to spread and use RAT malware because there are dozens — if not hundreds — of tutorial videos on YouTube right now that provide complete, step-by-step guides to ratting along with helpful comments and links by fellow ratters.  (See, the Web really is about community!) In addition to these tutorials, we find ratter “fan vids,” which are not so much tutorial in nature as  vicarious viewing, so you can watch a ratter harass or spy on a victim while narrating his  observations like “Dude, watch this!” and “Oh, fuck, did you see that?  This shit is sick.”

RATs on YT
Just one of many ratter videos on YouTube. All the visible titles suggest tutorials in how to be a ratter.

Collectively, both the tutorial and the ratter “fan videos” have tens of thousands of views, and the DCA report indicates that about 38 percent of these videos are ad-supported, which means that both Google and the ratter are earning some revenue from the ad buys of major brand advertisers.  This means Google has a problem that reads something like this:  “This illegal invasion of an underage girl’s bedroom brought to you by Procter & Gamble.”  And as much as I criticize Google for profiting from the exploitative aspects of digital life, I would not be surprised if the company seeks to mitigate its role as an enabler of ratting just as it has with a zero-tolerance approach to keeping child pornography out of the Google-verse.  The DCA recommends Google assign a “human team” to address the role that both search and the YouTube platform are playing in this regard, but it cannot be overlooked that the Internet industry’s larger policy agenda, advocating a “hands off” approach to all things Web, provides cover for bad actors in a variety of ways.

And that brings us to one of the primary channels through which RATs are spread (and you’ll be terribly surprised), which is illegal file-sharing sites.  Because Trojan Horse malware is delivered by sneaking the virus into an OS while the user downloads a file he/she assumes is safe, it stands to reason that the black-market world of illegal media and software provides an ideal hunting ground for ratters to set their traps.  In fact, some of those tutorials on YouTube demonstrate how a ratter can download a file from, say, kickasstorrents, modify the file with his RAT, then re-upload the newly infected file awaiting random downloaders because, y’know, “sharing.”

By these methods, ratters trap random prey to be fed upon at leisure and prioritized according to the intent of the ratter.  This may include mining victims for credit card or other sensitive information;  or the ratter may slave the computer to mine bitcoins or to spread RAT infiltration to a larger system, like the victim’s place of business.  But in many cases, it seems, the goal of many a low-skilled ratter (i.e. teenage boys and young men) is to gain access to the computers of women and girls who have webcams.  Thus, as ratters manage to trap these prized victims (often with the enthusiasm of trophy hunters), they sell the IP addresses to other ratters — like commodities in their own little RAT exchange — where access to a boy’s computer sells for about $1 while access to a girl’s computer sells for about $5, according to the DCA.

Now, I have at least implied in the past that piracy sites should be boycotted by anyone who considers herself — or himself — a defender of feminist principles.  In addition to the fact that the site owners directly profit from advertising links to “services” that are tied to varying degrees of exploitation of women (e.g. MEET ASIAN GIRLS NOW!!), this DCA study of RATs demonstrates that these sites also unintentionally provide fertile ground for spreading malware that is consistently used to exploit girls, which is apparently valued at a 5:1 ratio over the exploitation of boys. I’m not sure what else needs to be said about that.

Finally, the DCA report does contain some indication as to how Internet companies, users, and law enforcement might actually work to address the challenge of this growing risk of personal invasion.  But in order to get there, the public will first have to accept that Internet companies and law enforcement have a role to play, that our RAT infestation is just more evidence that a free-for-all policy on the Web is a fundamental failure.

Guess who the real victims of piracy are…

People like to tell themselves and others that piracy of entertainment media is a victimless crime, by which they typically mean that their one little download of a major motion picture doesn’t hurt anyone when the studio that produced said picture is making millions.  I’ve assailed this fallacy in more than a few posts, but a report released today by London-based NetNames, in collaboration with the Digital Citizens Alliance, makes quite clear that if you’re a user of a pirate site, the most vulnerable victim in the transaction may well be you.

This time last year, Dr. David Price authored a report for NetNames called “Sizing the Piracy Universe,” which as the title implies, took a very broad look at the global piracy ecosystem.  This new report “Behind the Cyberlocker Door” specifically examines the mechanics and finances of the top 30 cyberlocker sites, which are designed specifically to facilitate mass theft of copyrighted material.  Fifteen of the sites were direct download sites, and fifteen were streaming sites, and all were found to be profitable enterprises deriving revenues from a combination of advertising and the sale of premium accounts, primarily process through Visa and MasterCard.

For readers who don’t know about cyberlockers, think of the system as a vastly more robust version of a legal cloud storage service like Dropbox designed to share a limited volume of files with family, friends, and business colleagues.  These cyberlockers facilitate uploading and downloading of unlimited files worldwide among complete strangers, and  the report states unsurprisingly that the majority of the content (roughly 80% not including pornography) found on these sites is comprised of illegally distributed copyrighted works — movies, music, books, and video games.  The 30 sites studied earn collective annual profit of about $69 million.

These may not be compelling statistics to the staunch piracy advocate or even the casual piracy dabbler, who wants to convince himself that these enterprises are just a reaction to outdated scarcity caused by unreasonable copyright regimes and greedy producers.  But just because Kim Dotcom, the founders of The Pirate Bay, and even Internet industry advocates like to make grandiose, ideological claims about piracy, people should not be fooled for a second that the owners of these sites are quite so high-minded as all that.  In fact, parents of kids with unfettered access to computers ought to pay particular attention because these sites can be plain dangerous.  Dr. Price’s report indicates that more than half of all cyberlocker sties are responsible for malware infections on computers.  This is particularly worrisome as more and more consumers gravitate toward mobile devices, and the threat of identity theft through malware will likely become more acute.  Mobile devices are typically less secure than home computers, and people are storing an increasing amount of personal and financial data on mobile devices through apps designed to make transactions and communications more convenient.

A typical way in which malware is introduced by a content-theft cyberlocker, one offering downloads of movies for instance, is to sell users premium accounts and/or third-party software to expedite downloads and playback of motion pictures.  Not only do these sites charge for the service — and we’ll come back to that — but the process stepping users through sign-up and/or downloading player software is designed to mask the introduction of malware to a computer that can then be used for identity theft.  The money made by advertising and selling premium accounts to infringing material is good money for these sites, but that business model is really just bait to attract users to these sites in order to exploit their data in some more substantial fashion.  So, I know it’s terrible that content producers would ever presume to charge dirty dirty money for legal access to their works, but $3.99 to rent a movie seems like a way better deal than letting some hacker in Ukraine roam around in my personal data.

One might rationally ask why someone would pay $10/month for a premium account on one of these cyberlockers but refuse to pay $8 for an account with a legal distributor like Netflix.  The answer will invariably come back that a Netflix or a Hulu, for instance, doesn’t have every film or TV show ever made whereas these sites that don’t enter into legal agreements with producers do have just about every title you can name.   I suppose for some, that rationale is enough justification for doing harm to producers as well as risking their own data security, but the premium account phenomenon does give lie to all that nonsense calling copyright a form of “artificial scarcity.”  I mean, what are the pirates doing offering slow downloads for free and fast downloads for a price other than “creating artificial scarcity” in their own black-market paradigm?

Quite simply, piracy is a business that exploits the labor of one segment of society in order to fleece another segment of society who think they’re getting away with something.  And if that other segment is you and your data gets hacked, maybe all this pseudo-progressive talk about piracy as a social good will start to sound more like the hogwash it is.