It’s a particularly creepy arena in the cybercrime world: Those who surreptitiously take over people’s computers with the sole purpose of spying on and video-capturing unwitting victims. This group of voyeurism enthusiasts is a large one, and it turns out that their best platform for getting to know one another may be YouTube.
The tool of choice for carrying out such spywork is a class of malware known as remote access trojans (RATs), which can live on a computer without detection, allowing criminals to turn a connected camera on and off at will (among other things).
According to the Digital Citizens’ Alliance, this is the starting point for a particularly violating type of crime. Once a RAT is installed, it can be used to watch the victim—which is all some want to do. But still others engage in scare tactics, like speaking from the microphone or uploading startling images—perhaps images of the victims themselves being watched. Some upload video of their handiwork to YouTube and forums for others to see and admire; and some sell the feeds off to others (streams of unknowing high school girls fetch more on the black market than high school boys, apparently). In all, there are literally thousands upon thousands of victims, all being horribly, personally violated.
DCA said that YouTube is a key enabler of the ecosystem. “It’s easy to search YouTube to find thousands of videos, which offer: tutorials on how to use RATs and spread them to other devices; examples of successfully deployed RATs, with the faces and IP addresses of victims; and, links for ratters to download RATs they can use to slave devices,” it explained in a report it released at Black Hat 2015.
“Researchers scoured hundreds of tutorial videos on YouTube, finding many with ratters demonstrating how they invade bedrooms and/or frighten young children,” DCA noted. “Ratters use YouTube to post their successful conquests for others to view, much the way a hunter hangs the head of their prey atop the fireplace.”
Many of these videos include other on-screen captions or an additional audio track from the ratters themselves as they celebrate their conquests, openly laughing and mocking the families they’ve frightened with scary voices or unexpected visuals. For instance, one video shows a woman who left her computer on while feeding her baby. Attackers then flashed bizarre and disturbing images on her computer, “freaking her out.” The YouTube clip directs viewers to the time code where the “scare” of the RAT victim begins.
Another YouTube video, entitled “Sexy Girl ( victim ) Hacked BY Marco-Hacker” shows a victim working on a class paper in what looks like a bedroom, with no idea she is being watched. The ratter is using Bifrost, a well-known RAT, to access her computer.
DCA researchers also found dozens of YouTube videos demonstrating ratters at work. Many of the videos included a ratter’s control center with the IP addresses of slaved devices. In almost eight months of searches on YouTube, DCA found thousands of RAT tutorials. The tutorials included many that showed how to use and spread RATs; links where ratters could download the malware; and examples of RATs successfully deployed showing victims’ faces and IP addresses. It also found IP addresses potentially connected to devices in 33 states and dozens of other countries.
“YouTube videos provide the IP addresses of any number of devices around the world,” it explained. “Hackers can scroll through these lists almost like a menu of vulnerable people. This sharing between hackers is like thieves passing around a road map to houses that leave their back doors open.”
And worse, YouTube and its parent Google are actually profiting off the creeptastic nature of the crime. Many of the videos come with advertising running alongside them. Roughly 38% of the tutorials for the best-known RATs had advertisements accompanying them.
“The advertising we found included well-known car companies, cosmetics, and even tickets to New York Yankees’ baseball games,” DCA said. “YouTube’s parent company, Google, is positioned to get revenue from the sharing of these malicious tutorials that target innocents. [And], by allowing advertising to remain next to these tutorials, YouTube also provides another stream of revenue for ratters. Using the partner program, ratters are poised to get a cut of advertising revenue from Google.”
The other issue of course is the fact that people do watch these. At the time of the report, the breastfeeding video alone already had 44,426 views.
“We can’t ignore the principal enablers of the hackers—a cabal bound together by the desire to draw in viewers with itchy clicking-fingers,” DCA said. To them, tutorials and lessons in malware-making is just another form of click-bait—no different than hit singles or cat videos.”