The Dangerous Combination of Content Theft and Malware
Malware, short for malicious software, has been used to infiltrate and contaminate computers since the early 1980s. But what began as relatively benign software designed to prank and annoy users has developed into a variety of hostile programs intended to hijack, steal, extort, and attack. Disguised software including computer viruses, worms, trojan horses, ransomware, spyware, adware, and other malicious programs have flooded the Internet, allowing online criminals to profit from illicit activity while inflicting enormous costs on businesses, governments and individual consumers.
Purveyors of malware target unsavory websites to embed and distribute their programs, often making deals with those in the business of disseminating stolen content. Content theft websites that appear online through legitimate hosting and content delivery systems are frequently riddled with devious malware that infect the computers of users looking to download or stream pirated music, movie and television shows.
Last week, the Digital Citizens Alliance (DCA) published a report detailing how US tech companies are allowing cyber criminals to use their services to perform a myriad of illegal exploits. Enabling Malware focuses on how stolen content is being used as bait to infect users’ computers and how domestic hosting and content delivery companies are permitting online criminals to profit from the spread of dangerous malware.
Employing the expertise of Internet security firm RiskIQ, the report found that 1 in 3 content theft websites expose users to infectious malware and that visitors are 28 times more likely to encounter malware on content theft sites than mainstream, legitimate websites. And although these nefarious websites are usually created and maintained by overseas operators, they rely on North America hosting companies to function.
It’s a tricky partnership because while the hosting companies are not breaking the law by allowing disreputable websites to make us of their services, they are facilitating criminal networks whose activities could have catastrophic consequences. The report likens these service companies to landlords who turn a blind eye to the illegal activity of a renter. The issue is the same one being examined by the Copyright Office in its DMCA 512 study: When does a service provider have the requisite knowledge of illicit activity to trigger a duty to address the problem?
But while Section 512 of the DMCA hopes to combat copyright infringement online, the introduction of malware to content theft sites has consequences more far-reaching and dire than the dissemination of stolen works. Once malware infiltrates a system and hackers are able to take over, the results can be disastrous. The report details a wide range of criminal activity that can result from malware infection including the theft of bank credentials and credit card information that is then subsequently sold online, locking computers and demanding ransoms to return access, and hijacking webcams to film users without consent. The report warns:
[T]hese companies are now contributing to a growing issue for Americans: the threat of computer infections, the rise of identity theft and loss of financial information. The U.S. Department of Justice reports that 16.2 million U.S. consumers have been victimized by identity theft, with financial losses totaling over $24.7 billion.
According to the study, one of the most notorious companies enabling the websites that spread malware is CloudFlare. Marketing itself as a global content protection and security service provider, CloudFlare actually conceals a website’s true hosting information, inserting their network information instead. This allows for notorious content theft websites to mask information related to their actual hosting companies, making it more difficult to identify those complicit in their illegal activity.
Employing CloudFlare’s services are websites like Putlockerr.io, which offers a wide array of pirated movies for download. But when a user attempts to watch a movie via Putlocker, they download more than pirated content. After a user clicks to watch a movie, they are redirected to a new site that prompts them to download a new video player in order to view the content. This download is in fact a mechanism to deliver the malware that will wreak havoc on their system.
One of the worst distributors of malware identified by RiskIQ was watchfreemoviesonline.top. According to the study, the websites malware exposure rate was 32 percent and baited users into downloading the infectious software by offering popular movies like Captain America: Civil War in advance of its theatrical release. Watchfreemoviesonline.top uses Hawk Host, a company offering services similar to CloudFlare, to hide information about their actual hosting affiliations.
The Digital Citizens Alliance contacted both CloudFlare and Hawk Host to inform them of the findings of the RiskIQ report, and received differing responses. After being presented with clear evidence of the shady and illegal activities of watchfreemoviesonline.top, Hawk Host acknowledged that the site violated their terms of service and told the DCA that the site would come down. Hawk Host also agreed to meet with DCA researches to further discuss the RiskIQ report.
Unfortunately, the DCA’s interaction with CloudFlare was not as encouraging. In response to an email informing the company of the findings of the RiskIQ report, CloudFlare responded with a vague comment disclaiming any responsibility for the content of their client websites.
In the past few years, there’s been progress among service companies’ accountability efforts, with many refusing to deal with criminal websites. Payment providers like PayPal and Visa have stopped permitting illicit websites to use their services, and online advertisers have vowed to stop dealing with infamous content theft sites. But in order to eradicate content theft sites and the malware they propagate, the companies that help veil their identities and enable criminal activity must be help accountable.