Appendix A

SELLING “SLAVING” OUTING THE PRINCIPAL ENABLERS THAT PROFIT FROM PUSHING AND PUT YOUR PRIVACY AT RISK

JULY 2015 TABLE CONTENTS OF PROTECTING FROM REMOVING AND RAT RATSTHE FUTURE OF ARAT—THEUNLEASHING ART SPREADING OF YOUTUBE ARAT HAS PROBLEM STORIES CRUELTY—“RATS” OF THEATTACK ON CHEAP, EASY-TO-USE MALWARE THAT PAYS FOR ITSELF SELLING “SLAVING” WHAT CANRATTERS DO? EXECUTIVE SUMMARY REPORT THIS ABOUT TABLE IMAGES OF TABLE CONTENTS OF APPENDICES SUMMARY AND RECOMMENDATIONS REFERENCESMORE RAT ON REMOVAL ENDNOTES ACKNOWLEDGMENTS Dirty Rats: How Rats: Into Are Your Peeking Dirty Bedroom Appendix A Appendix ...... One Simple Question: Who Approved Who This?...... 35 Simple Question: One Appendix B Appendix ...... Appendix C Appendix ...... 13 ...... 34 ...... 33 ȃ ...... 31 ...... 22 ...... 10 ...... 37 ...... 38 ...... 39 ...... 8 ...... 3 ...... 41 ...... 37-39 ...... II ...... 7 ...... 1 ...... I ...... 29 ...... 40 ...... 3 ...... 6

SELLING “SLAVING” // I TABLE OFIMAGES promotional videos, please go to Appendix A RAT for with onpages Citizens researchers Digital found For advertisements anindex advertisers of the XLVIIXSǻZI]IEVWERHKIXXMRKMRWSQIGEWIWXIRWSJXLSYWERH are asquickly. just posted upto we’ve exposed from Also, of anywhere faces victims with videos seen to achild video safety the organization. Unfortunately,ed we’ve istaken down, one that when more seen uponYouTube.longer down wastaken Citizens One around afew report- March Digital after 2015, weeks weAt time here four the listed are completed screenshots of publication, from this the that are videos no IMAGE 36 IMAGE 35 IMAGE 34 IMAGE 33 IMAGE 32 IMAGE 31 IMAGE 30 IMAGE 29 IMAGE 28 IMAGE 27 IMAGE 26 IMAGE 25 IMAGE 24 IMAGE 23 IMAGE 22 21 IMAGE IMAGE 20 IMAGE 19 IMAGE 18 IMAGE 17 IMAGE 16 IMAGE 15 IMAGE 14 IMAGE 13 IMAGE 12 IMAGE 11 IMAGE 10 IMAGE 09 IMAGE 08 IMAGE 07 IMAGE 06 IMAGE 05 IMAGE 04 IMAGE 03 IMAGE 02 IMAGE 01 (EWWMH]ERH2EV];SPJ -EGO+SVYQW 4ǺIVMRKEGGIWWXSXLIHIZMGIWSJKMVPWJSVERH FREE DOWNLOAD!.mp4 Cracked YouTube: on 4.2 Video ...... NET Blackshades YouTube: on BYVideo Marco- )Hacked (victim Girl Sexy ...... YouTube: on Video njRAT V0.6.4 ...... 2ET .5WMRXLIWIGMXMIWJSYRHSRZMHISWFSXL[MXLERH[MXLSYX =SY8YFI5EVXRIV5VSKVEQ YouTube: on Video RAT Adwind V-3.0 Dev-Point ...... YouTube: on Video Tutorial HF One ...... :MHISSR=SY8YFI 8YXSVMIPTVIEH8SVVIRX YouTube: on Video [TUT] RAT Spread torrents on [TUT] ...... YouTube: on Video [TUT] RAT Spread torrents on [TUT] ...... YouTube: on YouTubeVideo [TUT] RAT Spread torrents on TUT] ...... -EGO+SVYQW +VSQXLILEGOIVWƶGLEXVSSQLEGOJSVYQWRIX -EGO+SVYQW +VSQXLILEGOIVWƶGLEXVSSQLEGOJSVYQWRIX -EGO+SVYQW +VSQXLILEGOIVWƶGLEXVSSQLEGOJSVYQWRIX -EGO+SVYQW +VSQXLILEGOIVWƶGLEXVSSQLEGOJSVYQWRIX ,SSKPIWIEVGLVIWYPXWJSVWTVIEHMRKVEXWJVSQ TIEV5LMWLMRK*\EQTPI+EOI&QIVMGER&MVPMRIWIQEMP :MHISSR=SY8YFI )EVO(SQIX ɐɺɴɯɼɡɷɮɭɷɺɶɡɰɿɽʃɴɾɡɸɴ$ɒɡɸɽɱ njRAT YouTube: on Video ...... ProSpy RAT basicas -Funciones ...... :MHISSR=SY8YFI LGOV&GXMSR'PEGOLEHIW :MHISSR=SY8YFI JY[MXLWPEZISRHEVOGSQIX YouTube: on Video ShadowTech RAT action in ...... :MHISSR=SY8YFI 5VIHEXSV0I]PSKKIV2IXLSH']LSEMFC(VYRGLM :MHISSR=SY8YFI Ɋɱɽɱɷɴɸɽʋɮ)EVO(SQIXɒɺɻɷɴɲɿɵɴɭɺɸɭʍɲ YouTube: on Video ...... -EGO+SVYQW IEVGLJSV=SY8YFI YouTube: on Video NjRaT Victims - ie nYuue XrmRTv. HD...... YouTube: on BYVideo Marco-Hacker )Hacked (victim Girl Sexy ...... XtremeRAT v2.9 2ET .5WMRXLIWIGMXMIWJSYRHSRZMHISW[MXLEHW YouTube: on Video (Full Voice Tutorial) HD narration R.A.T Comet Dark How tosetup ...... thread advice Ratter Forums: ...... Hack -EGO+SVYQW =SY8YFIXMTWJVSQSRIVEXXIVXSERSXLIV :MHISSR=SY8YFI )EVO(SQIX5VEROMRK*TMWSHI YouTube: on Video ...... 20 ...... 23 ...... 22 WSJZMI[W ...... 26 ...... 24 EHW JSVKY]W ...... 38 ...... 20 ...... 3 ɭʋɹɡɶɡɳɡɷ ...... 28 ...... ɶɡɴɳɳɡɮʇɷɱɾɡ)SXʇ ...... 9 ...... 36 ...... 20 ...... 30 ...... 27 ...... 27 ...... 7 ...... 26 ...... 28 ......                  .8

SELLING “SLAVING” // II ABOUT THIS REPORT tect you from Ebola. malware pro- will vaccine anymore polio the than itwon’t program, rus protect you from zero-day ;LMPI]SYEVIWXMPPFIXXIVSǺLEZMRKEERXMZM to protectdon’t have needed ourselves. tools the consumers are We outgunned and outmanned. b a develop of malware anew generation to have talents butsome their things, used good to share andimagesfreely. thoughts that allow us through applications and technology innovatorsthe have who developed break- the SJ FIGEYWI SǺ FIXXIV EPP EVI GSQQIVGIƴ[I ERH InternetThe hasrevolutionized creative thinking ing to breach or bypass Internet security try- (someone hats black that keep the upwith to developare applications struggling security toresources develop they need skills. their RMIWEW[IPPEWQSVIRIJEVMSYWRIX[SVOWXSǻRHXLI compa- trusted hackers relythese onestablished, ture builtto cater to hackers. We aspiring saw that tools. We foundwent for looking how they are and ideas sharing an increasinglydisrupting the lives of families across We America. sturdy agrowing ofposal, subset hackers—or ratters—is infrastruc- weapon dis- at this With their youngand adults. es, isagrowth industry. nately malware, making itcaus- disruption the and 9VFER)MGXMSREV]HIǻRIWWGVMTXOMHHMIWEWƸSRI[LSVIPMIWSRT  2MGVSWSJXHIǻRIWƸ2EP[EVIƹEWƸLSVXJSVQEPMGMSYWWSJX[EVI8  The vast majority of digital creators of digital majority vast The want to do Script Kiddie, Kiddie, Script FPEGOLEX FYXQSWXVIJYWIXSIZIRHMKRMJ]XLIQ[MXLXLMWXIVQ a blackhat, to be aspires route this follows who anyone “obviously and work” they how tolearn tobother refuses and hacking, Glossary, Gallery, Protection Malware ofmalware.” Microsoft, types all are trojans and worms Viruses, spam. tosend PC your use or aransom, pay you until PC your lock details, banking your steal can malware Some information. personal your stealing as such PC, our on The white hats (a.k.a ethical computer hackers) ethical (a.k.a whiteThe hats That malware into of hands teens the isgetting available at available LXXT [[[YVFERHMGXMSREV]GSQHIǻRITLT$XIVQ"WGVMTXOMHHMI available at available http://www.microsoft.com/security/portal/mmpc/shared/glossary.aspx a . Unfortu- 1 ). We the the We ). - KIRIVEPP]MQTPMIWLEZMRKWOMPPWSJ]SYVS[Rƹ9VFER)MGXMSREV] LIKIRIVEPREQIJSVTVSKVEQWXLEXTIVJSVQYR[ERXIHEGXMSRW VIQEHII\TPSMXTVSKVEQWERHǻPIW WGVMTXWXSGSRHYGXLMW and script kiddies hats toresistance, black to stop anything the doing much more shockingTrojans (RAT) Itmakes to itthat prey oninnocents. whenby hackers, or“ratters” Remote use who Access we see fooled and scammed, tricked, apathy, been who’ve people even to greatgirls, danger. and consumers, particularly young women and enablers spread exposing help businesses tools ignore simply or hackers assist actively they the Whether eos. productsGPMGOFEMXƴRSHMǺIVIRXXLERLMXWMRKPIWSVGEXZMH pushedlessons on in malware-making platforms, ERH XYXSVMEPW XLIQ 8S is GPMGOMRKǻRKIVW just MXGL] another[MXL form of thesebound together hackers—a of enablers the principal the cabal MKRSVI by GERƶX ;I the ǼSSHKEXIW XLI SZIV desire VYWLMRK MWXW to draw ina product of dangerous terror- hackers cyber and viewers semi passed through.semi passed were unfortunate just asa to “data-bahn” cross the that kill” like “techno-road almost sound people of enablers ratters make principal tainable. The real making the Internetcensorship” to shutdown any conversation about safer, smarter,consumer advocates withscreams of “Internet and against back push They thrive. more to actors bad lowing sus- forened—simply al- by accountability demanding could threat- be of opportunity new land as the Internet’sfears believe the who of potential those from sharingXIGLRSPSK]GSQQYRMX]8LMWJEGXMSR[LMGLTVSǻXW how toJVSQEZSGEPERH[IPPǻRERGIHJEGXMSR[MXLMRXLI spread malware, decency.and hackers aboost get The ratters and stokes the In ourresearch, we’ve of faces young the seen We isnot just realize moment must perilous this b leading this attack on privacy onprivacy leading attack this  -

SELLING “SLAVING” // 1 have asked onequestion—how dothesemali- Ivy”,like “DarkComet”, “Cerberus”, “Poison and we toldstudent who uswe should investigate RATs we companies know crippling trust. and and infectingratters ourdevices, terrorizing ourcitizens, hope this report will bring increased scrutiny to the possible. Itisour attacks these making enablers pal princi- malware, the and attack, under victims the deploying attackers research people—the isabout this are story; of materials the onlymalicious part The slave devices of the young girls. women and not even apenny—from malware sharing to used scribe the taking control of another user’s device. around world. to term the Slaving used isthe de- ers “slaving” devices of consumers and families freedom,” to adoor even hack- opening ifitmeans Since Black Hat 2014, where we acollege met Hat 2014, Black Since We feel no business should be making money— To them, there is nothing that trumps “Internet anyplace onHackForumsanyplace could putyou, your device, crosshairs your and of inthe data aratter. onmany YouTube of seen these onlinks quate Clicking protection expertise. and to and pages research. We its during strongly to urge research replicate that this you ade- donot try without safeguards and up-to-date with tools Citizens workstations researchers specialized Digital used A WARNING TO CONSUMERS to hunted. the Trojans, hunters the connecting enablers the and ing” HIXEMPWSRIEGLWTIGMǻGOMRHSJ7&8 of Remote Trojans Access history on the more and ratters’real inthe caught people traps. of images and stories with experts security cyber MWSYVLSTIXSGSQTPIQIRXXLIǻRHMRKWSJXLIWI malware learn and from valuable It insight. their were fortunate to researchers with speak studying We illuminating. and devastating isboth nizations leave their traps. PERHWGETIERHǻRHXLIVMKLXTPEXJSVQWSR[LMGLXS how to maneuver digital throughunderstand the er, the pushers of these dangerous applications malware of the skill the is more just than design- GMSYWǻPIWKIXXSWSQER]ZMGXMQW$;IWIIXLEXMX Digital Citizens is preparing a separate report Citizens report aseparate ispreparing Digital researchThe orga- from coming security cyber looks at the victims, the ratters who push these pushthese ratters who the victims, at looks the Selling “Slav-

SELLING “SLAVING” // 2 EXECUTIVE SUMMARY the entire year.” my for mind never Citizens. “It passed told Digital not one clue of having watching someone me,” she itwasaharrowing had prison, “I federal experience. to hacker, the to wasarrested sentenced who and bedroom. Even though Ms. Wolf bravely stood up took and privatewebcam pictures inher of her ahacker after took controltion computer’s of her dy Wolf, of attempted victim extor- wasthe who to spy onyou inyour own it’s And home. easy. your computer, atool become hacked, when can isawindower into your on private life. camera The world. what you But may not realize comput- isthat maybe and to even bed you when wake up. your before orcheck email you onSkype go friend XLIVI]SYQE][EXGLEQSZMISR3IXǼM\XEPO[MXLE table a on in sits your laptop your people, bedroom, most like you’re If or even onPEEKING your INTO YOUR BEDROOM bed. And from RATS:DIRTY HOW HACKERS ARE Take the case of 2013 Miss Teen USA Cassi- That computer is a window into your digital to ourchildren’s bedrooms. JSVQEXMSRSRPMRI.RIǺIGXXLI]EVIWIPPMRKEGGIWW that in- boys—and and of selling young girls then “slaving,” called computers, the over take to looking Internet butthey are users, activelyunsuspecting not merely that hackers malware are peddling on websites.miliar old they are and ishigh more onunfa- aptto click riskthresh- their areusers because target aneasy toers malware Young threats. other and Internet has found sites that many expose us- content theft Forprogram. example, Citizens Alliance Digital the ad onawebsite, orby downloading acomputer ing to website, anunfamiliar out anonline checking Trojan,cess orRAT. to aRemoteeasiest deploy Ac- iscalled use and the Internet today is some kind of Trojan tocess acomputer. and theon acomputer—a to gainac- used orprogram virus malware with Itstarts ishow itis. easy aspect bling And that is where it gets even more troubling. It’s It’s troubling. more even gets it where is that And How doyou malware? get by times click- Often Approximately 70 percent malware of the all on happen? trou- most suchathing The How can had 1,361 views. 1,361 had video this screenshot, • At the time of this ad. Chevrolet moment was a aprivate capturing video to the next bedroom. Running man together in a ayoung and woman showed a young • This YouTube video IMAGE 01

SELLING “SLAVING” // 3 some troubling trends: best practices. JSVQSVIXLERFS]W devices sold Girls’ consumers. on attacks cious IWERHXLIVIF]QEOMRKQSRI]JVSQXLIMVQEPM Forums, > to forward. ashamed come and Trojan are scared victims often because attack, been “slaved”to know how many people’s computers have as aXLI]GSQTP][MXLEVEXXIVƶWHIQERHW.XMWHMǽGYPX result ofrelease the pictures to wider audiences unless a Remotethey are unaware threaten hack,then of the to Access takein girls’ when pictures bedrooms, girls of the ratters frequently The es. take control of devices owners devic- of the the to use “sextort” then can TVMZEXIMRJSVQEXMSRSǺXLSWIHIZMGIW[LMGLXLI] dreds of devices. From there, they gather can problem. MR > previous research that XLIWIVIWYPXW[IGSRǻVQIHǻRHMRKWJVSQSXLIVWƶ interestedone malware. the inobtaining From GPIEV[IF[IJSYRHTISTPISǺIVMRK7&8WXSER] > investigation Citizens found Alliance A Digital > sites (i.e., The Pirate The sites Bay, (i.e., Torrents, Kickass and VEXXIVWWE]MRKXLEX=SY8YFIERHƸGSRXIRXXLIJXƹ and technically simple to use tool

PWSSR-EGO+SVYQWVEXXIVWWLEVIHXMTWEFSYX &P -EGO TEKI GLEX LEGOIV TSTYPEV XLI 9WMRK XLI WGSYV XS IRKMRIW WIEVGL TSTYPEV 9WMRK YWIH 7&8W XLEX GSRǻVQW IRJSVGIQIRX 1E[ : EXXEGOWEKEMRWXGSRWYQIVWEVIEKVS[MRK [IJSYRHVEXXIVWWIPPMRKWPEZIHHIZMG It takes ratters little time to time slave little Ittakes ratters hun- We captured multiple with chats . RATs are an inexpensive . - - - > music) to were “spread” places RATs. best the sites movies thatother and provide unlicensed > rials like malicious links and PDFs. and links like malicious rials to build mate-like deceptive Pirate Bay t411 and sites known use content howing can ratters theft RATs. We found YouTube demonstrat- tutorials for looking onhow tips kiddies toscript spread ratters recommending content sites theft to > Tube, we of RAT found thousands tutorials. EPSRKWMHIXLIZMHISW VYRRMRK EHZIVXMWIQIRXW 7&8W LEH FIWXORS[R dozens of other countries. tentially to connected devices in33states and enue from . to rev- acut are get ratters of advertising poised program, of revenue partner the Using for ratters. YouTubetutorials, provides stream also another By allowing advertising innocents. that target tutorials malicious these to remain nextpositioned to these YouTube’sgames. parent company, Google, is to get evenand to New tickets York revenue Yankees’ baseball included well-known cosmetics, companies, car from the sharing of to catch animals. to catch animals. VMEPWEVIPIJXSRGSRXIRXXLIJXWMXIWPMOIXVETWPIJX and IPaddresses JEGIW ZMGXMQWƶ WLS[MRK HITPS]IH WYGGIWWJYPP] ERHI\EQTPIWSJ7&8W HS[RPSEHXLIQEP[EVI spread RATs; and use could where ratters links tutorials included many that showed how to

SKPTVIX J LXXVEW SXLI JSV XYXSVMEPW XLI SJ TIVGIRX  7SYKLP] .REPQSWXIMKLXQSRXLWSJWIEVGLIWSR=SY &PWSSR-EGO+SVYQW[IJSYRHI\TIVMIRGIH . We found IPaddresses po- The advertising we found advertising The These mate- The The -

SELLING “SLAVING” // 4 gation, Citizens Digital recommends: threats. the about parents tell their young may who people to orafraid feel ashamed itpreys And vulnerable— most in ourhomes. onthe that we should have of security sense ter the when change the way it approaches this issue. When When way issue. the this itapproaches change invading victims. privacyof their the terrents is seeing hackers punished for illegally of computer-related de- best of the One crimes. sources to increase regulation andawareness > are compromised. computers prehensive about letting their parents know their Citizens investigation found thatare teens ap- makes Digital themuncomfortable ornervous. know to comechildren computer about let safety and them to them> if anysketchy programs. online behavior websiteson unfamiliar adsordownloading and clicking to when exposed be threat can they tial young to and poten- people parents the alert > it? about done From be what can So ourinvesti- This isagrowing problem that threatens to shat- >

A solution exists, but it will require to butit will Google exists, A solution That law enforcement re- additional gets pre-teen and teen their with talk That parents XS TVSKVEQW E[EVIRIWW SJ GVIEXMSR 8LI sonal privacy.sonal is not anunwelcome to point invade ourper- entry we ensure can that ourwindow world to ourdigital on, head issue this confront we If and enforcement. law groups safety users, Internet young parents, of nity, problem this islikely to more get complex. of therefore and technology tion criminalopportu- given increasing And the sophistica- punished. and areers that onso counting they don’t get caught That hack- iswhat rug. sweptnot be the the under 8SWXSTXLILEGOIVW[MPPXEOIEGSRGIVXIHIǺSVX One thing is clear: this is a serious issue that can- that issue isaserious isclear: this thing One GERƶXFI[SVXLXLITEMRERHWYǺIVMRKXLI]GEYWI adrevenues and bait from tutorial slaving videos should click- not be victims These platforms. eo immediately onsuchvid- and advertising cease ahumanteamassign to should protection. and concern Google same the Play. onGoogle apps deserve victims Hacking of to and ensure quality child pornography the of for searchblock tens queries of thousands inhumanteamsclearly helped Bringing can’t. ahumanteam toassigns dowhat analgorithm solving about aproblem, isserious it Google reviewing thesevideos

SELLING “SLAVING” // 5 WHAT CAN RATTERS DO? plains thatplains ratters can: 2015: Year oftheRat—Threat Report VITSVX LMW .R RSST;EPP ǻVQ WIGYVMX] ETT QSFMPI IGYVMX]ERHMWRS[(LMIJ*\IGYXMZI4ǽGIVSJXLI founding member of of the Department Homeland wasa Miliefsky S. do. Gary do, can ratter can the MRKXLVSYKLǻPIWXLIYWIVLEWWXSVIHƴ[LEXIZIV]SY into downloadinggets malware the onto adevice. photographs,ments, videos, and songs to trick tar- asdocu- disguised be that can code are malicious tool isaRAT. of Trojans, sixkinds of the One RATs slaving popular most simplest and the Perhaps The term “slaving” a computer is no exaggeration. Remote Trojans Access project include: inthis studied THE RAT WORLD Whether it is using the device’s the itisusing orsift- functions Whether service (“DDoS”) attack. > > > > IQEMPWERHǻPIW > tentially even clearing ahard drive completely); > EYHMSǻPIW ERH

» » » » » » » » XIEPTEWW[SVHWGVIHMXGEVHRYQFIVW )S[RPSEHYTPSEHERHHIPIXI]SYVǻPIW TS Use your computer of for denial adistributed 1 Watch your save and webcam videos; Watch log your and you keystrokes; type Carbanak Bozok Black Worm Blackshades Bifrost 'EGO4VMǻGI AndroRAT Adwind MWXIRMRSR]SYVQMGVSTLSRIERHWEZI » » » » » » » » Cybergate CyberRAT Cerberus Havex Explosive Dyreza / Dyre Dark DDoSeR DarkComet , Miliefsky ex-, Miliefsky

- dental accomplice.”dental RATS, you’re not only you avictim, are anacci- you“If getinfected Zero-day of one these with said: Miliefsky As to fall. password could next be credit cards, and privateaddress book, emails, SǽGIƶWVIWSYVGIW lead ratter to the corporate the network your and Thejumptohind. your company’s computer could your work phone, and tablet, devices are be- not far hasyour computer,ware. personal Ifsomeone then MREVEXXIVWƶIǺSVXXSƸWTVIEHƹ7&8WERHSXLIVQEP step one just is Your device device. slaved one with tating strikes corporations. against U.S. ƋŅŞƚĬĬŅýĵ±ĹƼŅüƋĘååĵƱųų±ŸŸĜĹč±ĹÚÚåÆĜĬĜ corporate allowing espionage missions, hackers RATs adversaries. their are frequently in used attack toand target of democracy by enemies ual favors. of aweapon warused They are also exploit for then them and money and/oren, sex- expensive tool frequently to spy used wom- on Once in command of your devices, your email This last item is important. A ratter seldom stops Making itsimple—RATs in- Making to use, easy are an » » » » » » » » ProSpy Predator Pain Ivy Poison Pandora RAT njRAT Njw0rm NanoCore Kraken 2 » » » » » » » Xtreme RAT Trojan.Laziok Sub7 Sir DoOom Snake RAT ShadowTech Regin - -

SELLING “SLAVING” // 6 SELLING “SLAVING” c ǻVI[EPP E a hacker). only with of usarmed those What about security (and often,IVRQIRXWLEZIXLIVIWSYVGIWXSTE]JSVXLIǻRIWX even that isn’teven average But families. corporations and gov- enough to stop leaders, and political devices slaved—corporations, There have are who of victims kinds all hadtheir HS[SVTMGOEHSSVPSGOXSWXIEP]SYVǻRERGMEPMRJSV to break doesn’t need criminal who awin- stop the have themost up-to-date to designed security 8IGL8EVKIXHIǻRIWEǻVI[EPPEWƸERIX[SVOWIGYVMX]W]WXIQIMX  SYXKSMRKRIX[SVOXVEǽGFEWIHSREWIXSJVYPIWƹLXXT WIEVGLW So manySo visitors have come 37,000 almost privacy times. peeping toms have violated her identity. Unfortunately, virtual wasmade,video to protect her this when ateenager was just we who girl, of believe the We have picture blurred the FORUMS, DIGITAL CITIZENS ALLIANCE HAS OUTLINED IN RED AND/OR IN DIGITAL OUTLINED HAS FORUMS, CITIZENS ALLIANCE MAGNIFIED CERTAIN ELEMENTS. IN ORDER TO HIGHLIGHT PORTIONS OF THIS AND OTHER AND THIS OF SCREENSHOTS HACK AND YOUTUBE FROM PORTIONS TO ORDER IN HIGHLIGHT c and anti-virus and program? Families don’t red boxes circle. and Muchof cludes three ads—inside the to coming to visit. dries those from to computers cars to sun- adsto pitchselling everything that YouTube at her to peek is This particular video in- video This particular - LIVLEVH[EVISVWSJX[EVIFEWIHXLEXGSRXVSPWMRGSQMRKERH IGYVMX]XIGLXEVKIXGSQHIǻRMXMSRǻVI[EPP stand-alone weapon used ina1 weapon used stand-alone porate disruption, espionageandeconomic or a Theyer’s may toolkit. atool of be for cor- amission kiddie” on a high school classmate. kiddie” school onahigh newest Trojan. akeyboard only He needs the and password lists. familymation, photos, aswell and asyour contacts RATs hack- inaskilled avaluable be piece can about their victim. their about of said ratters what these part 17on page where we include story, of the part asyou see will picture The video. the isonly hackers posted the who and YouTube between split be can adrevenuethe from post this video with the world. world. the with video the shared then and girl ofthis bedroom into the cam, someone broke aweb- controlling • By IMAGE 02 : 1 attack by a“script attack 1

SELLING “SLAVING” // 7 THAT PAYS FOR ITSELF CHEAP, EASY-TO-USE MALWARE paper bag.” wouldn’twho know how way to hacktheir outof a a tool created marketed and for principally buyers RATs, popular most ofone the “was Blackshades, wrote blog, Krebs onSecurity, inhispopular that ǻRHEGUYMVIERHYWIIGYVMX]I\TIVX'VMER0VIFW This dangerous, malicious software is easy to keted QEV there. HS[RPSEHW 7&8 JVII ǻRH If GER =SY8YFI it ]SY is free, it is likely an older version Wolf. of Cassidy story the about patience.” Remember that point when we tell found that inourresearch: we point also ical “It’s it’s really not,” madeacrit- Miliefsky, then said who attack, sophisticated isavery say this people when network, most have the vulnerability, same and As you see in the screenshot (image 3) from screenshot 3) (image you inthe As see SǽGI XLI SV GSQTYXIV JEQMP] XLI MXƶW Ƹ;LIXLIV 3 - SecureWorks $250. Then, according to researchers from Dell and $50 between cost Blackshades and Comet It wasn’t always that easy. RATs In2013, like Dark- many RATs found $10 be for can between $50. and SJ ZIVWMSRW QSHMǻIH SV 9THEXIH QEP[EVI XLI SJ utilizing these things.” these utilizing for low There to isavery tool. entry barrier the ing not onlyand customiz- order tool, butget help the cases, insome portal actually slick ion—it’s apretty -like inavery to fash- tools, order these wherefor they have cybercriminals ability the both says “there is an entire economic segment basically Verizon’sof forketplace RATs Rudis,co-author take root. Bob able to the general sent public prices plummeting. And cyber security analysts have analysts mar- the security seen cyber And 2015 Data Breach Investigations Report 4 , leaks making the source avail- the code making , leaks the video. (French for download) could “tèlechargement” they where alink on viewers could click video, the • Below 03 IMAGE ,

SELLING “SLAVING” // 8 'PEGOWLEHIW-IKSXEǻVWXLERHPSSOEXXLITYWLIVW that brought behind sting ment down cabal the R.A.T.—the Dirty eration law enforce- multi-national bedroom.” their ing leav-how without to online implement aprogram XEVKIXMRKZMGXMQWGERǻRH[LEXXLI]RIIHERHPIEVR &RKIPIW+MIPH4ǽGIWEMHƸMRHMZMHYEPWMRXIVIWXIHMR VEXXIVW1EYVE*MQMPPIV5VI like a customer for department service would-be like assomething HackForums, functions which found onYouTube ordirect viachat contact rooms by intutorials advice sharing to help—either willing there are program, ratters the of plenty with other Ifthey struggle inasingle of sitting. ens victims for guysdevices and for $5 of girls $1. SJE-EGO+SVYQWTEVXMGMTERXSǺIVMRKEGGIWWXSXLI RATs (as of 7/22/15). 4shows Image example one creating, acquiring, that discuss spreading and hacker.”the posts million There are more 1.5 than LEGOIVGLEXWMXI-EGO+SVYQWXSǻRHƸXLIZSMGISJ Citizens researchers popular visited the Digital to make quickly money portunity asaratter isgreat. James PastoreJames lead prosecutor wasthe inOp- that ondayConsider one, get doz- aratter can islow, to cost while started get So the op- the WW4ǽGIVJSVXLI+'.ƶW1SW cure way days these butimpossible.” isall inacompletely technology using or shameful; se- You of attacks. haven’tsorts stupid anything done how even security researchers fall victim to these for to victims know howis important prevalent itis, it involves vi compromising “There’s said: when alot of init,particularly shame RATs. using attacks after individuals and nesses She busi- hashelped She source the ofmine attacks. discover what wasstolen, ifpossible, and, deter- control into help called breaches, man hasbeen the mobile security testing startup, Shevirah, Weid- and Security er. of Bulb Founder Owner and the As Weidman Georgia hack- isanethical attacks. these of RATs.” types these using my experience—is that—in dueto population the part that isinlarge ZMGXMQM^IH.XFIGSQIWEFMXKEQIMǻIHERH.XLMRO there are real that because are people shame being harm that they’re it’s And onpeople. imposing a or aren’t mature enough to comprehend, the real hind a keyboard. They maybe don’t . . . comprehend, they are be- because bitof adistance alittle also Citizens: “There’s it,but about of akind meanness an attorney inprivate Pastore practice, told Digital of spawn. malware Now ratters they helped the and Victims often struggle with damage done from done damage with struggle often Victims (as of 7/22/15). of (as and spreading RATs acquiring, creating, to dedicated posts site 1,536,431 contains ŹƣķžŷžƐŇƾĻƐĀďƣŹåžØƐƒĚåƐ Fo- to Hack According • From hackforums.net. IMAGE 04 deos or images. I think it it Ithink orimages. deos

SELLING “SLAVING” // 9 STORIES OF CRUELTY—“RATS” ONTHE ATTACK Photograph by Teen Miss inthe competed USApageant. ifornia Teen, Wolf, Cassidy before months just she world online much of Cal- reigning of the Miss the a mysterious madeclear ratter controlled that he [EW could she dotonothing Inamassive attack, stop it. XLIVI ERH I]IW LIV SJ JVSRX MR VMKLX ǻVI SR PMX .RWXEKVEQ8YQFPV-IVWSGMEPQIHMETVSǻPIW[IVI passwords onFacebook, her cally changing , similarsee warnings that was someone systemati- ahalf-hour, about injust But friends. would Cassidy spending an evening in Fullerton, California with password.” my changed Ijust So maybe amalfunction. Ithought itwasjust it. Isaw too that, Ididn’t when muchof think “So said. to log intofrom hadtried Utah my account,” she cation on my home page telling me that someone Ƹ. [IRXSRXSQ]+EGIFSSOERH.LEHNYWXPMOIERSXMǻ VMKLX RSX [EW WSQIXLMRK [EVRMRK ǻVWX XLI FIVW Wolf.fornia Cassidy named teen of aCali- story dreams and isthe indanger hopes best-known of the howPerhaps RATs story put can That was on March 21, 2013, while Cassidy was was That while wasonMarch Cassidy 2013, 21, Wolf Facebook. with Cassidy remem- It started GREG NELSEN - a pornstar.” . amodel of being “dream her . . being] into [Cassidy didn’tIf she comply, would he said transform he to wanted he her ing make asexually video. explicit (from) her bedroom.” bedroom.” her (from) Wewere email. inthe could tell exactly they were of your went neck up.There were pictures the that you scrolled down that’s whenthehaironback or tons of pictures and videos dreds, lots butthere wasaword post will there—I of you. And then aspost—and word Idon’t ifthe remember washun- Iwill what Isay orelse “do told which email, Cassidy hadstolenhe from Cassidy. private of the moments to hiscollection tended use conversations, and monitoring He now emails. in- taking pictures of her changing clothes, listening to been He’d computertrol for of Cassidy’s months. hacker slaved, the hadcon- computer hadbeen The hacker would go onto threaten Cassidy, say- Cassidy, threaten onto go would hacker The (EWWMH]ƶWQSXLIV2EV]HIWGVMFIHXLIVEXXIVƶWǻVWX ;LMPIXLMW[EWXLIǻVWXXMQIMX[EWGPIEVXLEXLIV 5 • Cassidy and Mary Wolf Mary and • Cassidy IMAGE 05

SELLING “SLAVING” // 10 LYVXMRKQIQSVIF]RSXLEZMRKMX8LIǻVWXQSRXL TYFPMGǻKYVIXSLEZIWSGMEPQIHMEERH.SRP]WE[MX asa my with really just it helps job, its important for isreally my me media cause social important, powerthe to take away like that? Be- something why would Idothat? Why would Igive someone Irealized, then And that Ihadonline. ly everything Facebook,again, my Instagram, Ideleted serious- Iwould Ithought and scared never have my Twitter HMHRƶXWXE]HS[RƸ&XǻVWX.HIPIXIHIZIV]XLMRK.[EW man, awoman, achild, you couldn’t just tell.” cery store. We had no idea. I didn’t know if it was to gro- at next the Iwasstanding was somebody a know if he lived down Ididn’t around clock. the came histhreats it and the block. I didn’t kept he saying because wascoming he thought “I know if it aday.”have 40times me guyemailing this mybe life forever,” Iwasgonna “That said. Cassidy years old. 12 was just of hisharassment targets of the One naked women. photoshopped her friends’ faces onto pictures of to to pressure comply. Cassidy stalker Thiscyber he hacked into her friends’ accounts, urging them and preparing his attack. When he didn’t succeed, tos pictures showed accumulating time spent he of pho- expose humiliate and Cassidy. Hislibrary to designed video photos, one the including post ratter The did FBI. the Instead, called she demands. 8LI7&8ORSGOIH(EWWMH]SǾMRIFVMIǼ]FYXWLI really“I didn’t for sleep months,” Wolf Mary said. wasgonna that this idea hadgotten the kinda “I not did give intoCassidy ratter’s the sextortion commanded them to them dohisbidding. commanded forced into recording while Abrahams sex acts the world, with as many as 150 victims. Some were young and ing” women devices around of the girls He, alockerwith was“slav- infact, down hall. the wasmore admirer asick than Abrahams girl of the classmate. But school ahigh Abrahams, James me.” from away ized that Iwasonly himpower giving that by taking what Iwould do. Obviously Igot over Ireal- that and if this were to happenMX[LIR.ǻVWXKSXMX'IGEYWI.XLSYKLXSLQ]KSWL again I honestly don’t to on back Iwasscared to go it. I wasscared use know forcement, news outlets, and other young women. law with en- experience the about onto go and talk Teen Miss would title becoming winthe USA2013 now anadvocate. spoke upand out.” stood She She was she avictim, longer wasno Cassidy moment, ry to an international audience that evening. “At that to I’mguy stop and gonna me stop him.” looked Ijust at time. at itasI’m let the not gonna this away of any drive type that Ihadtowards my goals satisfaction of and seeing him seeing me take hurt any power over my life. Ididn’t want to give himany by it,Ididn’t want outabout to speaking give Jared that Ithink pictures, So situation. inthis Iwasavictim for pictures these posed orpurposely took these Teen Miss of the stage neverthe “I USApageant. It took almost three months to months capture three Jared It took almost Mary Wolf had no idea Cassidy would Wolf sto- tellMary her Cassidy idea hadno SR TYFPMGP] WXSV] LIV XSPH ǻVWX ;SPJ (EWWMH] 6

SELLING “SLAVING” // 11 about malwareabout while programs to brazen enough are who ly knowledgeable more with individuals SJXLMWǻKLXEKEMRWXXLMWMRWMHMSYWJSVQSJQEP[EVI from front three onthe perspectives people lines We of rise ratters. rapid the about haveconcerned are increasinglyprosecutors cases work who these JSVGIQIRXǻRHMRKXLITLSXSW8LIMRZIWXMKEXSVWERH never ifnot for victims law know en- these about world The silent. fearand victims would keep the we which about never hear. shame That’s because more there like stories arein fact, hers thousands back online. be will Jared Abrahams James soon, At point some December. outthis term. He’ll be prison 18-month tively rest of the your impact life.” XLMRKPMOIXLMWHSIWRƶXLEZIXSHIǻRI]SYSVRIKE for to victims know it’s thatthink some- important yet and wentaccomplishment, she I through this. her about page aWikipedia with successful and lives are that their over.ing Wolf Cassidy isbeautiful feel rightly alone, often and violated think-“Victims avictim,” admittoand being Weidman. Georgia said Cassidy’s voice. are of young safer today girls women and because leads to others.” tions, one successful investigation or prosecution true in other kinds of prosecutions and investiga- “Astold asked who that question: reporters isoften United StatesManhattan Attorney Preet Bharara arrests? inthe play apart actions Cassidy’s Did developed who RAT.two masterminds of the the aswere the Blackshades, 100 hackers used who In the summer of 2014, the FBI arrested the nearly of summer 2014, In the 78 XEOSMHZHEW VKSMK VETMH KVS[MRK EVI MRHMZMHYEPW SR EXXEGOW 7&8 but about, to ispainful talk Wolf’s story Cassidy an isnowFor Abrahams serving hiscrimes, all up brave to did she itisavery stand think thing “I 7 It is impossible to know how many many how know to impossible is It - - above others—YouTube all sites. content and theft We two tools craft. found utilizing ratters their tice prac- and for wherelooking ratters hone places problem, of the scope of we the a sense wentWith slaving is increasingly prevalent and dangerous. hatwhite hackers hat black alike and convince us aRAT that of in.” cases used types be can forcomputers limit the but you the know sky’s the young after women their and going about talked to we’ve Imean doany ofcriminals crimes. number RATs they allow are aninteresting the tool because that prosecute. we that Ithink But can something that we’rething more it’s hopefully to and see going RATs: about Hsusaid port. that itissome- think “I we more re- who inthis discuss later Mijangos, will of RATs, using accused individuals Luis including MR1SW&RKIPIW-MWSǽGILEWTVSWIGYXIHWIZIVEPXSVRI]ƶW4ǽGIJSVXLI(IRXVEP)MWXVMGXSJ(EPMJSVRME At- U.S. of the Section Crimes tellectual Property for evil.” used now being that nology wasoriginally is and for meant good that want people tech- toto the the abuse after go They don’t enough. haveen’t trained manpower the keep YT[MXLXLMWWXYǺEWJEWXEWMXƶWGLERKMRK5ISTPIEV to game the of stage this at equipped isn’t just the script kiddies using RATs. “Law enforcement the resourcesǻZI]IEVW-IWEMHPE[IRJSVGIQIRXHSIWRƶXLEZI to keep up with hackers, includingFIGSQMRKZMGXMQM^IH that they avoid so isimportant potentialand targets problem,out of parents this iswhy which educating law enforcement. We’re to not arrest going ourway RSXMRGPYHMRKSXLIVJIHIVEPSǽGIWWXEXIERHPSGEP inLos That’s just Angeles. inmultiple cases victims them,”use Eimiller. said “We’ve of hundreds seen The observations of victims, lawmakers, and Wesley In- and Cyber of Chief the Hsuisthe Aken for agent Scott wasanFBI cyber more than -

SELLING “SLAVING” // 12 YOUTUBE HAS ARAT PROBLEM ZMHISW[LMGLSǺIV SJ XLSYWERHW ǻRH =SY8YFI XS WIEVGL XS IEW] MW .X tising running alongside them—meaning YouTube, And yes, many of these videos come with adver- with come videos these of many yes, And touse slave devices. > and, IPaddresses of and victims; faces the with > to other devices; >

links for ratters tolinks download RATs they can examples of successfully deployed RATs, onhowtutorials to RATs use spread and them TVI]EXSTXLIǻVITPEGI way ofmuch the their head ahunter the hangs for to others view, conquests successful their youngen children. Ratters YouTube use to post strating how they invade bedrooms and/or fright- ISWSR=SY8YFIǻRHMRKQER][MXLVEXXIVWHIQSR ture of creepy. of ture proselytize who cul- ratters itwith es sharing their cas- insome then and money ismaking or Google, Researchers scoured hundredsof tutorial vid- had 12,932 views. had video this screenshot, • At the time of this IMAGE 06 had 6,200 views. 6,200 had video this screenshot, • At the time of this IMAGE 07 -

SELLING “SLAVING” // 13 frightened with scary voices or unexpected visuals. voices visuals. orunexpected scary with frightened openly laughing and mocking the families they’ve ters themselves as they celebrate their conquests, from rat- track audio the oranadditional captions Many of include thesevideos other on-screen how to interrupt theyoung andterrify mother as LIVFEF]&RHIVWSR[EXGLIHXLIVEXXIVWǻKYVISYX computer onwhile her a woman left feeding who of ArsTechnica, found he of video one described editor Natefreaked deputy Anderson, outfamilies. gloat howrorize about they then and victims their The perpetrators of these scares want to ter- had 44,426 views. 44,426 had video this screenshot, • At the time of this begins (highlighted). RAT“scare” ofthe victim the where code time to the viewers directs video • This IMAGE 08 ing users will download it." download will users ing ofunsuspect- Thousands RAT. to your link download onto YouTube the with song remixed the upload ĀĀĮ ĀĮåƐƾЃĚƐDžŇƣŹƐ‰ũƐcŇƾƐ YoY YouTube: the "Bind .mp3 ĀĮ ĀĮåžƐžĚ±ŹåÚƐĞĻƐ±ƐŤŇžƒƐŇĻƐ to how on usemp3 t tips ƒĚ ƒĚåƐŹ±ƒƒåŹØƐƾ±ďŇÆØƐŇýåŹžƐ from suggestions of of the Youtube.” and R Reddit on waysto Spread Unique “4 titled exchange Forums aHack from comes below portion • This 7/22/15). of (as registered members million 2.8 morethan has room for hackers chat This • From hackforums.net. IMAGE 09 i p One One

SELLING “SLAVING” // 14 controllers . . . ortoying pranking, victims.” with showing RAT of videos other along thousands with XLIMRGMHIRXEVIR XLEVHXSǻRH8LI] VISR=SY8YFI computer. Inhis story, Andersonwrote: “Copies of XLI]ǼEWLIHFM^EVVIERHHMWXYVFMRKMQEKIWSRLIV YouTube. RATs spread through to is it easy how Forums Hack found plenty of examples of on ratters discussing It is no secret amongst ratters. Researchers 8 their back doors open. doors back their around aroadpassing mapto that leave houses hackers islike between enue. This sharing thieves vehicle another rev- for advertising gramming—or YouTube, are consumers to reduced these pro- On people. like of vulnerable a menu almost lists around world. the scroll Hackers through can these provide theIPaddresses of any of number devices the IPaddresses of slaved devices. YouTube videos aratter’s control included center with videos the Tube videos demonstrating ratters at work. Many of Digital Citizens researchersDigital found dozens of You- ING HELP.”ING “SPREAD- titled exchange Forums from aHack taken were below portions • The • From hackforums.net. IMAGE 11 been banned once.” many videos and never I’ve so Ihave success. ex extreme aRAT, with e ed have you’ll bond- program alegit h have Ifyou banned. got w why you know Idon’t s successful. to extremely be • • From hackforums.net. IMAGE 10 Ŵ:±ķĞĻďǍƐœŹŇƒå×ƐFƐĀĻÚƐ th w a D iis g m Awdr: Awdr: to spread.”methods good some with advice looking for detailed a____ninjauk: minutes of work. that takes maximum 3 week using this method a 50at least clients Awdr: Downloader’… Video a‘Youtube is need you all bet, good You can expect expect can You YouTube a is “I’m now

SELLING “SLAVING” // 15 RAT infestation problem. hasagrowing America 13, inimage see you can d YouTube to across devices incities America. of IP addresses is imperfect and can be masked. be can and imperfect is addresses of IP location geographical The Internet. the on is that address IP any using system hacker’s tothe back to connect try will system the system, your aRAT once However, infects case, any in 2013. before posted videos from numbers IP use we didn’t reason, thi For change. will address IP your ISP, an from possible is it device anew get move or you If posted. was video the time the at necessarily not research, ofthe time ofthe as located were addresses IP the where researchers our tell tools location IP YouTube. on now RAT in tutorials shared The numbers IP the with ofdevices locations current the determined researchers Citizens Digital (www.networksolutions.com/), Solutions Network and (www.iplocation.net) location IP websites the Using Our researchers on Our IPsexposed pinpointed the d As we included at the beginning of this report. of this beginning atwe the included apicture included screenshot of the avictim—like were that those popular of views; particularly sands researchers found many videos with tens of thou- Sadly, people are coming to these pages. Our an ad for Starbucks. includes video The Mexico. States, Turkey, France, and United the in located vices de- including world, the puters in countries around ĀĻÚƐF{Ɛ±ÚÚŹåžžåžƐüŇŹƐÏŇķ can you tutorial, this • In IMAGE 12 ads, see Appendix B. Appendix see a ads, f found in videos without devices ofslaved a as amap aswell cities, ofthese a a list p panied by advertising. For o on YouTube videos accom- shared devices slaved w with cities ofUS amap is • • This IMAGEI 13 - s

SELLING “SLAVING” // 16 ER]SRIJVSQTVSǻXMRKJVSQXLMWHMKMXEPVETI to prevent asasociety and asanindustry a stand or pushing RATs totims are mining their bitcoins or launching DDoS attacks neighbors. vic- innocent ten These they are victimized. being We must take may of them notsome even aware be of how of- partment De- child computer for and online crimes U.S. the of Justice. aformer prosecutor and federal Blue against SSP SJ 4ǽGIV *\IGYXMZI “Those (LMIJ 3MKEQ -IQERWLY WEMH pinssteps videos,” to crime of sharing stop are these the people take and compass moral their change companies and “There will be more pins on the map unless RAT, computer. to her access “Bifrost”, isusing ratter the see awell-knownalso Wewe waslikely she determined inAustralia. can From watched. isbeing she idea no IPaddress, her with inwhat like looks abedroom, paper a class Hacked BY Marco-Hacker” shows working on her That YouTube ) (victim Girl video, “Sexy titled most. usthe picture inthe face that concerned other. IPs,butitwasthe several U.S. Itincluded It was that video that haunted usmoreIt wasthat video any than • Digital Citizens research- Citizens • Digital IMAGE 14 early 2015. early and late in 2014 brands trusted well-known, other American Express, and for Acura, ads found ers

SELLING “SLAVING” // 17 CCC7&8ƹ;IǻPPIHMRXLIFPERO[MXL L id”, that actually what we orvideos demonstrated X M [  O R how to many were see videos each query “val- E JSV P VIWYPXW WIEVGL F SJ  TEKIW X[S I ǻVWX L XLI XLVSYKL X  R M  H news onRATs stories I We items. other and went P P ǻ  I To ; hits. fair, be 30,490 items include of those some  ƹ  8 & 7 CCCCCCC njRAT,shades, DarkComet,  Ivy. Poison and We got I W Y  H ǻZISJXLIQSWXVIGSKRM^IH7&8Wƴ'MJVSWX'PEGO R E  H E S P YouTubesearched term “how the using to down- researchers Our practice. isacommon videos year, nearly four years itwasposted. after family.her down inMarch came video of The this ifthere is athreat to girland the totion ascertain child arespected with safety organiza- video this world.” repeatedly her timizing infront eyes of the of the allowing it and rights of her Thisisaviolation rape. is digital to be shown “This video: the about al commentary. said Nigam over and over is re-vic- YouTube inthe discussion the video: of Citizens atranslation get did Digital sPerfect, Advertising running alongside these ratter ratter alongside these running Advertising Citizens information shared the Digital about The rest of the translation included crude sexu- With the of help the translation Tran- service TIME CODE ARABIC TRANSCRIPTION ENGLISH TRANSLATION ENGLISH TRANSCRIPTION ARABIC CODE TIME 0 0 2 2 1 : : : : 08 : 58 58 55 15 - 34 days34 ads. to view 11,586 for channel network onabroadcast programming Youis 11,586. would have to watch of hour every C). search, tothis go Appendix on (to details the video the alongside see running RAT valid ofcent the advertising hadsome videos at have how per- many videos 38 Inall, valid ads. we we invalid videos, looked the Once eliminated for—howsearched to download ______use and RAT. paid topaid purchase ad space. the Acura, Express, American and other advertisers of whatever aportion gets bedroom girl’s of this invasion their posted who person the case, this revenue from isgenerated views In video. of the makes to eligible get acut them of whatever ad upfor YouTube the signed Program, which Partner has Ads “poster” video show of the the upwhen YouTubespace. Not all have videos advertising. pay YouTube’s parent for company Google ad To percent of 38 putthat inperspective, 30,490 Companies like Acura Express andAmerican hahahahahahaha (laughing sound).hahahahahahaha (laughing I wishknow . why astonished so looks she . . to do. guysupposed what isthe like that isnaked, abody when Imagine naked. sawI just her far. I’ve hadso victim isquite clean, She beautiful most This girlisseriously the sound). (laughing like This guylooks Th hahahaha athief is guy l oo ks l ik ea 9 th ie f ha ha ha ha

SELLING “SLAVING” // 18 Procter &Gamble, Wells Fargo, running Boeing and we found adsfor like respected, premium brands As weAs looked through hundreds of RAT videos, Yankees to tutorials. next games even to New tickets York found adsfor baseball we of faces victims; showing the videos alongside had 13,643 views. 13,643 had video this screenshot, • At the time of this Fargo. Wells for ad an with Russian in tion demonstra- • DarkComet 16 IMAGE views. 48,240 had video this screenshot, • At the time of this ad. Football Fantasy ĞĻƐŹ±ÆĞÏƐƾЃĚƐ±ĻƐ)„{cƐ • njRAT demonstration IMAGE 15

SELLING “SLAVING” // 19 and an ad for Zulily. victim and ratter between stration with conversation RAT• DarkComet demon- IMAGE 19 York Yankees tickets. žƒŹ±ƒĞŇĻƐƾЃĚƐ±ĻƐ±ÚƐüŇŹƐcåƾƐ • ShadowTech RAT demon- IMAGE 18 brand. Mini for BMW’s ad RAT• Predator Pain an with IMAGE 17

SELLING “SLAVING” // 20 ning alongside the videos marketing and demon- we Wolf, found to Cassidy said: she And when we asked about the advertising run- we when advertising And asked the about ;LIR[IǻVWXWLS[IHXLI=SY8YFIWGVIIRWLSXW “This could have“This my blurred face been passed my for mind entire the passed year.” watchingof having me. Itnever someone have clue Ihadnot one Imean idea. no out . . they seriously because it’s. and sad . criminal activity.” just as high a priority as it is with any other type of LYQERXVEǽGOMRK Ƹ.XLMRO,SSKPIWLSYPHQEOIMX and child after company pornography hasgone onYouTubeter videos ratters way the same the QEOIQSRI]SǺMXƹLIWEMH,SSKPIWLSYPHKSEJ that it’s now aworld it's crazy can where people how RATsstrating think “I added: she used, be can products. Always feminine hygiene forad Procter &Gamble’s stration in Russian with an RAT• DarkComet demon- IMAGE 22 ad. aBoeing with Spanish • ProSpy in demonstration IMAGE 21 S5. Galaxy Samsung AT&T an with tion for ad the • Blackshades demonstra- IMAGE 20 -

SELLING “SLAVING” // 21 UNLEASHING A RAT—THE A UNLEASHING ART “SPREADING” OF e SYWPMROWƴMRNYWXXLIǻVWXLSYVEJXIVWIRHMRK of users the opened email and clicked on danger- went out,researchersemails found that 50 percent surveys test atotal inwhich of 150,000 security cent fective ever than in2014 before. at Looking two re- searchers say phishing were campaigns more ef- faster than awareness of their danger. Verizon re- of phishing” a“spear attack. launch XLI MW IQEMP 8LI VIJYWI GERƶX ZMGXMQ XLI XLEX SǺIV an making awell-crafted email with begins often malware.of the Ittakes attack several The steps. There “spreading” are the just about tutorials an art. aRATLaunching computer itis isnot just science; To learn more about this email and spear phishing, go to:http://www.digitalcitizensalliance.org/cac/alliance/ go phishing, spear and email this To about more learn The sophistication of has grown these emails TSWXHIXEMPEWT\$.H" 10 that should give you pause.” hardgets to stop, even you something when see curity. “At humannature. against itgoes point, this It SJPMROWE[IIOƹWEMH2IKER-SVRIVSJ'PEGOǻRI Many onhundreds to ofmeant clicked. usclick be are “Links andattachments: onlinks with clicking saywho we’ve increasing comfortable become all ed and respected brand, troubles security experts from Airlines. American searchers receivedlook at example the below—an of one email ourre- designed to lookMRKP]IEWMIVXSǻRHXSKEMR]SYVXVYWX+SVI\EQTPI like an email QMKLXMRGPYHIWTIGMǻGMRJSVQEXMSR[LMGLMWMRGVIEW link or an attachment designed to get your click. It Mail like this, which appears toMail like from appears which come this, atrust- How do they do it? Spear phishers include a a include How phishers dothey doit? Spear e the system. Trojan the removed from immediately caught and an anti-virus application itas monitored then ment, downloaded the attach- researcher The plans. travel no had who searcher Citizens’ to re-sent aDigital åķ±ĞĮØƐ±ƐāĞďĚƒƐÏŇĻĀŹķ±ƒĞŇĻƐ fake American Airlines spear phishing email—a ofa example an is • This IMAGE 23 - -

SELLING “SLAVING” // 22 Ars Technica, Mijangos “was peer-to-peer seeding downloads from peer-to-peer sites. According to ofdevice. Mijangos’ One lures wasmusic of choice hisRATtion—so would downloaded be onto the on something—an anapplica- attachment,alink, click to target his convince to had He inbox. the into phisher, Mijangos knew it is not enough just to get to make spear Askilled sexually videos. explicit ǻPIWJVSQLEVHHVMZIWSVXEOIGSRXVSPSJ[IFGEQW niles. juve- 44 including fromsteal victims, materials 230 to force, hisskills used Mijangos or guidance. trick, consultor without spread and them his own tools hackerhams—he could wasaskilled who build student Jared Abra- school James like high the onrecord. ratters was not vicious Mijangos most deployedmethods by of one Luis the Mijangos, way to launch an attack on victims. Consider the For ratters, spear phishing emails are aneasy For emails phishing ratters, spear 11 He used Poison Ivy and SpyNet and Ivy Poison used He 12 to poach poach to directing potential ratters to use content theft sites. potential to ratters directing content use theft 25). and 24 ages result to im- wasalink achat onHackForums (see VEXWƹSR,SSKPISR/YRIXLIǻVWXWIEVGLsearch results. When we searched for “spreading forod spreading rats? Itisifyou look at Google’s sites top to meth- the content links Is sharing theft were actually malware.” networks with popular-sounding song titles that popular songs then upload them to torrent sites. Massoglia reported that ratters disguise RATs as Lorischolars Andrews, MichaelHolloway, andDan to poses privacy, of webcams hacking the legal of Law, College Chicago-Kent examining threat the We found and several onthat link clicked posts In Digital Peepholes , aresearch from IIT paper 13 June 24, 2015. June 24, rats” from “spreading for results search ofGoogle one • Page IMAGE 24 14

SELLING “SLAVING” // 23 RAT over peer-to-peer.” the toolbox issending inthe tools of one so the and people, you Imean any use will tool inyour toolbox, a hacker that’sto safe. be It’s opposite of the safe. ifyou And are sort of interested“Peer-to-peer isincredibly unsafe. It’s not designed in compromising knows He peer-to-peer the a decade. sites well. inLos for Angeles cases moretual than Property Assistant U.S. Attorney Intellec- Hsuhashandled U.S. Assistant theft sites as the tools of choice for of RAT choice tools sites asthe theft spreading. where ratters suggest both YouTube and content We found several conversations onHackForums sites provide Trojans. for aplatform theft launching YouTube audience, both pecting content the and downloadsto malicious onto pushthe anunsus- Jared James When Abrahamses. ratters are ready YouTube with script kiddies, the generation next of via tools and tips share Mijangos Luis like skills with On HackOn Forums, we experienced see ratters room, hackforums.net room, • From the hackers’ chat IMAGE 25

SELLING “SLAVING” // 24 rents, , and The Pirate The isohunt,rents, and Bay 27, (image above). follow who to those trade—kickasstor- piracy the ed on Hack Forums trad- are names the that some surprise no is it sites, theft tent of the most familiar ;LIRVEXXIVW[ERXIHEHZMGIEFSYXWTIGMǻGGSR - room, hackforums.net room, • From the hackers’ chat IMAGE 26 room, hackforums.net room, • From the hackers’ chat IMAGE 27

SELLING “SLAVING” // 25 f The PirateThe Bay from howstrated aratter anapplication pulled found by posted two different people) demon- totraps ensnare victims. through howers to build deceptive, RAT infested YouTube videos—of the side view- walking videos We found examples—again along- advertising with them—again in tutorial sites; how show they to kiddies script use tent theft videos shared on YouTube. The PirateThe 97th visited site Bay most wasthe inthe The video showed the ratter using piratebay.org. According to Wikipedia, piratebay.org was the address of until Bay Pirate ofthe address the was piratebay.org toWikipedia, According piratebay.org. using ratter the showed video The note-domainse-180 and https:// thepiratebay.se/blog/205. From The_Pirate_Bay#cite_ http://en.wikipedia.org/wiki/ piratebay.gl. used also has It topiratebay.se. moved it when 2012, For example, YouTube one (which video we Some ratters go beyond just chatting about con- f to help spread a RAT. At one time, world com was so infested with malicious downloads infestedcom wasso malicious that with ginning of the problems with this site. . be- butthat’s the sixmonths, just last inthe oid.me Demon- from down taken be to URLs 190,000 than (on 7/6/15), copyright have holders asked for more me. According Transparency to Google the Report )IQSRSMH WMXI XSVVIRX TSTYPEV ERSXLIV SRXS ǻPI Pirateapplication—from Bay, it. corrupt and editing amusic case, this a clean application—in ers. Moments later,Moments the ratter loaded the corrupted 16 We ratter take watched what like the looks 15 and had more than 2 million registered us- hadmore 2million and than room, hackforums.net room, • From the hackers’ chat IMAGE 28 had 2,334 views. 2,334 had video this screenshot, • At the time of this IMAGE 29

SELLING “SLAVING” // 26 downloads onadvertising. (as of 7/6/15). malicious the blamed Demonoid site 7,581st as the site world inthe popular most .pw now (the others redirect there). Alexa the ranks it’s and current at .com,.me, .ph, including home stays several alive by Top utilizing Level Domains, site The hashadmore acat. lives than Demonoid Google actually blockedGoogle itfor in2014. atime 18 The Digital Citizens Al- Digital The 17 But that advertising. from software download onand malicious click the sites make users contentthat when money theft infect users’ showed research The devices. also inthat researchsites studied potential to hadthe content adson589 of three that one every theft report, liance Good Money Still Going Bad StillGoing Money Good 19 had 33,110 views. 33,110 had video this screenshot, • At the time of this IMAGE 31 views. 13,643 had video this screenshot, • At the time of this IMAGE 30 , showed

SELLING “SLAVING” // 27 g RAT addresses three (saying in pulls He CyberGate. from victims. the the presentation nice so they get can more money The presenter reminds also the watcher to make EWE5)+ǻPIYWMRKXLIGSRXIRXXLIJXWMXI8QI payload how to amalicious disguise demonstrating t411.me is one of 5—sites found to be sharing torrents unlicensed movies, TV series, music, books, software, and sports in in sports and software, books, music, series, TV movies, unlicensed torrents sharing tobe found of5—sites one is t411.me Digital Citizens’ Citizens’ Digital In another YouTubeIn another video, we found aratter In athird tutorial, shows aratter how to the use Good Money Still Going Bad Going Still Money Good report published in May 2015. That domain now redirects tot411.io. redirects now domain That 2015. May in published report g . theft sites are like Home Depot. sites are Depot. like Home theft to malware, spread foring tools their the content software. infected now .org, reloads sites the with then those “torrent sites”: demonoid.com. isohunt.com, and from software three popular most the pulls then tutorialthe that has“only he three vic’s and online”) The tutorialThe show that videos for ratters look- the žƒŹå±ķĞĻďƐķåÚбØƐcåƒāĞDŽũ of on-demand Internet and legal content provider licensed for ad the an is To video ofthe right the site, t411.me. content theft aRATto spread the via • A video showing how IMAGE 32 this video. providers featured in be unlicensed content sites tothree known • Isohunt was one of IMAGE 33

SELLING “SLAVING” // 28 THE FUTURE OFRATS $1B. gather enough information to steal approximately cloaked for years, therefore and for hackers the to hidden, made itWSQIFSH]ǻKYVIHSYXLS[XSEHHMXXSXLEXƹ possible [and] wasinRegin which Comet inDark pability ca- stealth issome about wething may talking be for waywork their down next into the low So the end. Carbanak RATs that arethings high-end showing upinthese weizens: think alot are to “I see of going these to stay Haley Response. Cit- toldmantec Digital Security Director of the and Product for Management Sy- on Symatec’s toing Kevin Haley, advisors technical of one the EGGSVH 7&8W XS LETTIR [MPP IǺIGX XVMGOPIHS[R down to inthat competitors Thissame space. all SVTVSGIWWGSQIWXSXLIQEVOIXTPEGIMX[MPPǻPXIV reallyThis iswhere itgets scary. to RAT addnew functionality. Ifabasic with comes ofation RATs. others: The that Haley gener- says prominent next be will inthe It’s anewwill be burden of one three traits onusers. Stealth capabilities, or the RAT’s orthe Stealth to capabilities, stay ability anew once idea many with industries, other As Modularity 20 Bringing this attribute to script kiddie RATs Internet Security Threat Report (ISTR) Threat Report Security Internet —This RAT the means ability hasthe - stereo, etc. upgraded suchasleather seats, options adding and of acar model base the to getting is similar have This dropper ordownloading capabilities. RATthe bitcoins, mine or attacks, DDoS to launch etc.), allow that add-ons get you camera, the can STIVEXMRK ǻPIW EX PSSOMRK QEREKIQIRX W]WXIQ control systems, like Havex Malware industrial bitcoins that mines orattacks level. butmorecount institutional holders, at the RAT—not focused ing ac- muchonindividual so to have Dyre The core one RAT function. isabank- you want to execute. of RATs all qualities customize and itfor attack the SǺ8LMWQIERWMRXLIJYXYVI]SYGERXEOIXLIFIWX able toout being pirate that isnot itisaconcept far to acustomized get tools RAT these use go with- where can any person service aclouding based revenue no with to source. coming original the Hav- stolen distributed and are getting code tired of their source code] from happening.” Haley says. Hackers prevent and asaway of to try [theft as aservice tomized RATs. Customization “There's actually some movement to software —Taking aRAT it modifying and 21 , are examples of cus-

SELLING “SLAVING” // 29 also mobile OSlike Android. also FIIRQSHMǻIHXSMRGPYHIRSXNYWXHIWOXST4FYX actors.” malicious with less networks XLI] PMOIP]IRGSYRXIVPSXWSJHMǺIVIRXQSFMPIERH[MVI (LMRE XS XVMT FYWMRIWW ]SYV XS WLST GSǺII As they go from watches, etc. don’t smart go. tablets, our phones, home, to work,their bedroom these days, there is literally nowhere to school, toing” said the “Though most people have their laptopetration in Testing, A Hands-On Introduction to Hack- “Pen- book writes inher who mobile hacking about hacker Ethical Weidman, targeted. Georgia will be wallet in their smartphone, the more these devices coming. people As move more towards having their is (mRAT) Trojans Access Remote mobile or tablets, generation of RATs tailored to strike cell phones and You RAT the 34 inimage see can Adwind has A “growth market” for ismobile. ratters Anew - mobile devices. tenless than years with to number reach same the malwaredistinct signatures for ithastaken PCs, ured that while ittook years 22 to to get 2million ǻK 8VIRH2MGVS QEOIV ERXMZMVYW XLI 7ITSWMXSV] KVS[MRK9WMRKǻKYVIWJVSQXLI&:8IWX2EP[EVI emails, geolocation, the list goes on.” goes list the geolocation, emails, your phone knows,erything text messages, calls, your knew alot laptop ev- you about about think them. Weidman states further “And if you thought continually who target hackers criminals the and itisfor better the distribution, the world. bigger The are ub since smartphones What’s particularly stunning is how fast it’s This growth, although alarming, is not surprising isnot surprising This growth, alarming, although 22 had 3,480 views. 3,480 had video this screenshot, • At the time of this IMAGE 34 iquitous throughout the -

SELLING “SLAVING” // 30 PROTECTING RAT REMOVING AND FROM h should do to protect your system. you There things are basic some let passport. and wal- your protecting as priority same the be should at chance avoidingbetter aRAT attack. ourselves from steps give ratters, butthese you a that we dotothat there isn’t thing protect one can tect yourself. Ultimately, we have all to understand pro- to use you that help can extensive checklist Citizens’Digital researchers have put together an ;IFVSSXHIǻRIW&RXMZMVYWWSJX[EVIEWƸETVSKVEQSVWIXSJTVS  4. 3. 2. 1. Protecting your system and the data it contains at Starbucks. your while you network activities areto encrypt computer from Starbucks; it’s also to to security.ing easy dowith a operate It’s very easy enough basic security. lows attackersword from being sent unencrypted, which al- very easy Thisprevents your connection. pass- encrypted access for bypassingpassword orwatch to to listen asong amovie. you realize you probably to enter don’t a need word. that And password prompt should make RAT the installing pid, askyou will for your pass- HMǺIVIRXTEWW[SVHWSMJ]SYHSWSQIXLMRKWXY or Admin Create account. a with user asecond for2e6-000000000000 some ideas how to do it. EVXMGPIGS\$EVXMGPI.H"JIGIHI www.cox.com/residential/support/internet/ iseven better. outhttp://a passphrase Check us/en/home/resources/tips/pc-security/security-what-is-anti-virus-software remove software viruses, and other malicious software like worms, (T)rojans, adware, and more.” http://www.webroot.com/ Being awareBeing of where you hasnoth- connect to an Only using your connect mailserver 3IZIVSTIVEXI]SYVGSQTYXIVYWMRKXLIǻVWX Create Using asecure password. use and - GPMGOSRTSTYTIVVSVW[MXLSYXVIEHMRKXLIQǻVWX puters, always and blindly Don’t worst. the assume word—educate yourself onhow to safely com- use KVEQWXLEXEVIHIWMKRIHXSTVIZIRXWIEVGLJSVHIXIGXERH This whole thing can be summed upinasimple summed be can This whole thing > > ruses, but will protect butwill ruses, known against viruses. are found. not Thiswill stop newvulnerabilities vi- Manufacturers update their applications once updates asthey are applications released. install > > website.” by sent webmasterbe database of the acareer linked to spam email messages have backdoor attacks been Ivy “Poison zation, that pretend to to SpywareRemove.com, ananti-virus organi- According attacks. phishing to linked are viruses, Malware,should screened. be Trojan including outof character for seem which that individual, ed with caution. Even emails from known users, capture information. other passwords and possibly monitor what you are even and doing can others means free with Wi-Fi locations other RIX(SRRIGXMRK]SYVW]WXIQEXGSǺIIWLSTWERH phone. ifyou onyourespecially doalot of transactions too, foranti-virus. Thisgoes your smartphone AV ratings at http://www.pcmag.com/reviews/ market are onthe grams some and free. Look at keepand itupto date. There are many AV pro- clicking on a link within anemail. within onalink clicking or too to busy realize what you are by doing

Have anAnti-Virus (“AV”) Patch your web OSand browsers regularly and Emails fromEmails unknown should treat- users be awareBe of where you to Inter- the connect 23 Hackers count curious onyou being ȃ h program installed installed program

SELLING “SLAVING” // 31 following: Ivy. Poison supplemental program for removing viruses like VYWETTPMGEXMSRW&PWSQER]SJXLIWIQEOIWTIGMǻG load the application. to aclean system to research dothe down- and referencein the to remove section Trojan. the Go > to avoidon paper spied being > If you suspect youIf you are suspect infected, do the then There are many that make companies anti-vi- XSVVIRXǻPIWERHQEP[EVI report shows the correlation between movie and ing virus protection virus ing from now on.” from Internet, the you may want to us- consider QSZMIǻPIW.J]SY ZIFIIRHS[RPSEHMRKQSZMIW Trojanthat this through normally hacked infects consensus it's ageneral noted “but participant one Ivy, Poison like viruses Trojan remove to how onYahoo Inaposting address dangers. which tial >

;LIRWYVǻRKXLI.RXIVRIXFIEPIVXJSVTSXIR HMǺIVIRXGSQTERMIW[MPPGSRǻVQXLEXXLI8VS » Get one or more of the applications or steps orsteps ormore one of applications Get the Cover your camera with an opaque piece of

348* YWMRKX[SHMǺIVIRXETTPMGEXMSRWJVSQ 24 A recent DCA DCA Arecent - -

following: til youtil are sure system isfree the from virus. the > organization remove that can Trojan the for you. point. browsers. > > > > > may need to utilizemay apassword manager. need you passwords for multiple sites orapplication, Once your system is free of the Trojan, do the

» the latest version latest Trojan. ofthe the you are use itwillnot get upto date otherwise Makejan iseliminated. sure applications the Do not do any more transactions or posts un- orposts not doanyDo more transactions When indoubt, take your When system to atrusted asystem back-upDo set anew and restore System web Patch the and Operating the Clear your web browser history. and cache » the infection. the FYXMQTSVXERXXSQMXMKEXIVIWMHYEPIǺIGXWSJ compromised. Thisisanannoying process, Change your passwords. Ifyou have multiple are sure free. system isvirus the cleaningtem ituntil you besides for anything

The safest thing to safest doisnot thing sys- toThe the use If infected, any web likely password ismost

SELLING “SLAVING” // 32 MORE REFERENCESMORE RAT ON REMOVAL > > > > > > >

http://www.ehow.com/how_6815580_remove-poison-ivy-trojan.html http://www.clamav.net/index.html http://winzip.com/prodpagemp.html http://www.spywareremove.com/removePoisonIvy.html https://security.symantec.com/nbrt/overview.aspx? LXXTW ERW[IVW]ELSSGSQUYIWXMSRMRHI\$UMH"&&W5 http://www.pcmag.com/reviews/antivirus » remove and identify aTrojan, not continuously your butdoes system. scan » » » » » » Symantec tools tools Symantec to severalThis haslinks AV (Trend apps Micro, McAfee, Symantec) TrojanTips onremoving Ivy Poison Review of anti-virus programs AV—not type scanner This tool isaone-time to continuous protection. Good Winzip Product it with Has tool associated 96

SELLING “SLAVING” // 33 SUMMARY AND RECOMMENDATIONS pearance-and-performance-enhancing-drugs pearance-and-performance-enhancing-drugs downpulled marketing hundreds of ap- videos coverage media ofAfter ourresearch, YouTube looked all previous for The enues Google. four reports at videos onYouTubeed rev- advertising generate which post- at looking dangerous videos report ance &PPM (MXM^IRW that )MKMXEP ǻJXL XLI MW 8LMW GSQTPMGEXIH marketed illegalbeing, you might want to reconsider your priorities. activity.device, information, your your personal and well risktoue of the your free movies isworth music and ERHHS[RPSEHWXLIQEPMGMSYWǻPI.J]SYJIIPXLIZEP ad the tors don’t clicks make user until the money are pay-per-click site’s That the means ads. opera- Bad Still Going Money searchers working onourMay 2015 report, bymoney infecting your computer. re- MediaLink providing a service, but some of them in fact make to sites of be claim these Operators sites. on these do, dangerous more and material the we traps see will infect your computer. more The research we able over Internet wasdealtreal the world justice. responsibleperson for makingthosedrugsavail- were now Road and experience, the Silk not adigital onthe drugs bought who deaths ofThe people the to life wassentenced inprison. who Ulbricht, Ross sage from sentencing of former Silk Road kingpin darkest corners of the Internet. Consider the mes- orinthe corner it’s street onthe equally whether should treated be Criminalactivity women. tacking ly to hesitate drive kiddies before script some at- and simple. Stronger sentences will almost certain- pure issexual assault, oncamera form sexual acts Forcing sex with crimes. women to girls and per- able to young charge women attack ratters who up to take over. prosecutors should For be starters, QIRXMHIRXMǻIWERHTVSWIGYXIWSRISXLIVWWTVSYX here are the ratters themselves. When law enforce- 8LIVIMWRSHSYFXXLEXXLIQSWXWIVMSYWSǺIRHIVW As for the videos onYouTube, for videos As the isabitmore this simply,Quite sites to content visits theft regular enablers? what the But about , found ads many malicious Good Good - - tims of RAT attacks. No one—be it a ratter or a mul- a or ratter a it one—be No RAT of tims attacks. to vic- painful and the asdevastating could just be adeviceSlaving butit may aphysical attack, not be vate personal and moments sensitive information. next to videos showcasing profound ratters’ risks. health IVWLIEPXL]GSYPHTVSǻXJVSQETVSHYGXTVSHYGMRK purges of how to acompany custom- keeping dedicated fy pri- cy’s executives decided they could no longer justi- pharma- The cigarettes 2014. selling inSeptember that for store CVS drug the when chainstopped the question they to need ask themselves.” EPPS[XLIWITISTPIXSQEOIQSRI]SǺXLEX$8LEXƶW arevideos clearly directed towards evil, should you outthere where their that videos arepeople putting evil,’” be ‘don’t Aken. for case, “Well, Scott inthis said Tube itshould? itmean does can, from You- RAT sharing because just But tutorials. [MXLXLSWIIPIQIRXWXSǻRHELSQISR=SY8YFI There’s IPs. public sharing and reason no for videos vade” aperson’s home, showing pictures of victims to study malware.forts down hackers’ could videos harmethical these ef- Remote about Access Trojans.videos all Pulling view share and white also hand, other hats the On devices they’ve whose slaved. of those faces the featuring IPaddresses, and public sharing victims, getting about talking ratters that include of videos video.” the posting There person of are the plenty intent the content and onthe video ofpends the Attorney Hsusays U.S. de- “it Assistant area. As how of to agrey doitis,well,someone something proval. While spreading aRAT showing isillegal, availableprescription drugs adoctor’s without ap- (steroids), stolen and credit drugs, cards, illegal It is time for Google to stop running advertising to for advertising It istime stop running Google muchlike forThis could amoment Google be statement onthe itself to pride used “Google However, there is nothing stopping YouTube hackers “in- that would videos ethical notBut post

SELLING “SLAVING” // 34 app submissions to Google Play. to Google submissions app would violations reviewnal team for looking policy catch. In March, automated may systems items its not alwayscheck Google announced that an inter-of women children and around world? the revenge right toporn, violate the and privacy porn, to make used tough child ontools getting about ERIǺSVXXSTVSXIGXVIZIRKITSVRZMGXMQW'YX[LEX SǺMXWTPEXJSVQW7IGIRXP]XLIGSQTER]ERRSYRGIH ,SSKPILEWQEHIIǺSVXWXSOIITGLMPHTSVRSKVETL] solution to the problems it is creating. To its credit, vertising programs, partner like AdSense? spread terror.ters their can Mijangoses, theAbrahamses,andfuture super-rat- Hack Forums, YouTube provides aforum where the Yet aswe saw from numerous conversations on ucts, YouTube, should be the ratters’ tool of choice. a great prod- of company one its and like Google SJTVSǻXJVSQXLIWIEXXEGOW8LIVIMWRSVIEWSR[L] company—should dollar tibillion make onepenny associated with child with porn. associated blocked and 100,000pornography search terms tobrought block spot child and in200 engineers to access that website because it's dangerous.’”to website that access because website, they could say, ‘Sorry—you’re not allowed ifyouand are to presented alink amalicious with plowresources into data of all this to apool further ofhas alot their What some ifthey use of data. this already “Google 'before' onthem. links click people detect morein Chrome malicious could that help ther develop their safe browsing technology with- pictures IPs? their and of victims onYouTubevideos forthat include looking those create ahumanteam to review malware tutorials Scott Aken had a suggestion for fur- Google: AkenScott hadasuggestion Google does on occasion use human beings to humanbeings use onoccasion does Google might argue Google company that the hasthe safeguards ad- addsome to could its Google So 26 Why can’t Google Why Google can’t 25 In 2013, Google XLIƸWPEZMRKƹTVSFPIQMRWXIEHSJTVSǻXMRKJVSQMX evil activities.YouTube Google slow the and spreading of the their videos is in a position[EVHSǺXLIVEXXIVWXLEXEVIWIPPMRKƸWPEZMRKƹMRXLIWI to help solve to help skills and tools its use company can the crime. As a consumer advocacy group, we believe future. the about think hope that the people at Google decide it is time to [MPPXLI]GSRXMRYIXSTYXTVSǻXWFIJSVITISTPI;I spreading across devices over all America? Or, Google take action to stem a rising tide of RATs WHO APPROVEDWHO THIS? ONE SIMPLE QUESTION: tisers wondering how that could happen. adver- many with even ISIS, to sympathetic videos to howswered about adscould next run questions that humiliate children?videos YouTube hasn’t an- Who, orwhat, would approve to next advertising Program advertising. Partner with running videos revenues.ceive of the asplit inturn,which, allows “YouTube the to re- Partner” “approved for monetization” to enable advertising on monetizationtent. YouTube The Program’s Partner guidelines AdSense account to begin monetizing their con- state aGoogle contentProgram, the creator start must that each video must betising revenue. YouTube agrees to adver- of give the asplit them Tube permission to include the ad while, in return, YouTube’s They Program. have given Partner You- of are videos part the Many posting people of the vertising at the time our researchers found them. ad- included report inthis shots screen All the YouTube There isno Program participants. Partner now, revenues splits Google 55/45 witheligible We’re a has committed Google not asserting money. would steps Such Google will cost But So someone,So or something, “approved” the In order of YouTube to the amember be Partner 27 Right

SELLING “SLAVING” // 35 the AGs’ letter. AGs’ the was Google’s response from to own its description tionable UYIW XLI JVSQ MRGSQI ƵQMRMQEPƶ HIVMZIW ,SSKPI videos.” that reported newspaper Oklahoman The tivities, To be clear—theTVSǻXWJVSQZMHISWQEVOIXMRKMPPIKEPERHMPPMGMXEG wordXSVRI]W,IRIVEPUYIWXMSRIH,SSKPISǽGMEPWEFSYX “minimal” for two States awhile.questions after At- In2013, materials. cious of mali- pushers of the pockets inthe put money aggressive that of rejection and monitoring videos more in result likely would this act; to Google force marketing ‘slaving’ videos to these next that could adsrunning their that see ble. companies Itisthe who—unintentionally—make thisrevenue possi- advertisers company fromless the hears very the incentive to suchaprogram—un- for end Google Google need to continue to run ads next everything everything next ads run to continue to need Google ,SSKPIERH=SY8YFILEZIJIRHIHSǺXLIWI 28 LXXTW WYTTSVXKSSKPIGSQ]SYXYFIERW[IV$LP"IR If it is so “minimal,” then why does IF YOU SEE AVIDEO SHOWING VICTIMS OFRATTERS, YOU CAN REPORT THE VIDEO TO YOUTUBE AT - - happening to them.” selves was victim’s ifthis inthe imagine and shoes Honestly,this. Iwould to tell putthem- them just QSRI]SJXLMWERH,SSKPIMWQEOMRKQSRI]SǺSJ Tube that are people are this the and doing making promoted being room onYou- now and in their its watched daughter wasbeing that ifitwas their ine to put themselves in(the victim’s) imag- and shoes… Wolf, would she need “They tell said Google: who could handle from that came question Cassidy follow. will others slaving, against a stand world’s ofIf one the takes admired most companies Internet asadefense? freedom itclaim can videos, Trojan tutorials? from ISIS videos to illegal drugs to Remote Access Perhaps the best advice onhow company advice the best the Perhaps If Google continues to sell ads beside slaving that is generated from the ads. ads. from the generated is t that a account, you earn revenue a account with your YouTube AdSense an associated y you've After video. the near or i inside YouTubetion, t ads place will anda approved for monetiza- submitted is video your Once O money?m make myvideo can • How t tization t tube.com/account_mone- athttps://www.you-f found g guidelines and information • • YouTube monetization IMAGEI 35

SELLING “SLAVING” // 36 APPENDIX A APPENDIX Procter &Gamble 30, 2015 June 34)—found 30, Image (pg. Plan New York Yankees 20, Ticket (pg. 18)—found Image Exchange 2015 March 3, 3IXǼM\ TK.QEKIƴJSYRH/YP] 20, (pg. 17)—found Image 2015 Mini Cooper 25, June Tours, Blue Go 27, (pg. 30)—found 30, 2015 Image June 2015 7)—found Image 29, April 13, (pg. Geico JulyESPN Fantasy 7, 15)—found Image 19, Football (pg. 2015 Ensilo 27, (pg. 22, 2015 June 31)—found Image 27, (pg. CoverGirl 30, 30)—found 2015 Image June 2014 4, December 1)—found Image Chevrolet 3, (pg. March 21)—found Image 17, 21, (pg. Boeing 2015 7, (pg. Knight Arkham Batman 2015 25, 2)—found Image February Audible, anAmazon 3)—found 8,Image 10, April Company (pg. 2015 ExpressAmerican Travel (pg. 7, Image 2)—found 2015 February 25, 8)—found Image 12, 2015 April 14, (pg. Boat Allstate 17,Acura (pg. 2014 November 14, 14)—found Image SJERHǻVWXLEPJSJ RAT with onpages ments onYouTube promotional videos quarter fourth inthe Citizens for researchers Digital which foundCompanies/Products advertise- Zulily 20, (pg. 19)—found Image July 17, 2015 Wells Fargo 16)—found Image 19, July (pg. 16, 2015 :ERW4ǺXLI;EPP TK.QEKIƴJSYRH&TVMP 9RMǻIH(SQQYRMGEXMSRW TK.QEKIƴJSYRH/YRI Wall 2015 The 29)—found 26,Image Street 25, April Journal(pg. Sony Pictures Entertainment, /ArizonaStarbucks 12, 2015 April State 16, 12)—found Image (pg. University 2014 3, 20)—found Image 21, (pg. December Samsung EACH SCREENSHOT OF YOUTUBE PAGES AND WEBSITES WAS GRABBED DURING DIGITAL DURING WAS YOUTUBE OF PAGES GRABBED WEBSITES AND EACH SCREENSHOT April 14, 2015 14, April Minions » »

&P[E]W TK.QEKIƴJSYRH/YP] 'SYRX] TK.QEKI JIEXYVMRKGLEVEGXIVWJVSQ3'(9RMZIVWE CITIZENS RESEARCH AND MAY NOT REFLECT THE CURRENT STATUS MAY AND CURRENT THE RESEARCH NOT REFLECT CITIZENS ANYPAGE. OF )—found July 7, 2015 Paul Blart, Mall Cop 2 MallCop Paul Blart, (pg. 28, Image 33)—found 28, 33)—found Image (pg. PǻPQ

SELLING “SLAVING” // 37 APPENDIX B APPENDIX Emeryville, CA Emeryville, OH Elyria, Columbus, OH OH Cleveland, SC Catawba, PA Cynwyd, Bala TX Austin, Ads: without found cities onVideos IPs inthese Denver, CO Corpus Christi, TX Columbus, OH Collinsville, IL Clarksville, TN (LIWXIVǻIPH24 Brandon, FL 'EOIVWǻIPH(& GA Alpharetta, Albany, OR Ads: with found cities onVideos IPs inthese Slaved Found Devices From Information onYouTube Jacksonville, NC Independence, IA Hollywood, FL Hickory, NC Henderson, NC Halcottsville, NY Flint, MI Los Gatos, CA Los Angeles, CA Kearney, NE City,Kansas KS TN Jackson, NJ Jackson, MS Jackson, CO Ranch, Highlands Greensboro, NC ND Fargo, Phoenix, AZ Phoenix, PAPalmerton, Old Town, ME New York, NY New LA Orleans, Madison, WI Littleton, CO Sherman, CT Sanger, CA Sacramento, CA Ramsey, NJ AZ Phoenix, NE Omaha, New York, NY Mukwonago, WI Milwaukee, WI KY Louisville, West Lafayette, IN Lafayette, West NY Utica, Suttons Bay, MI South Richmond Hill, NY Lake City,Salt UT Richardson, TX NM Portales, Woodstock, IL HI Wai'anae, WA Tukwila, NJ Trenton, Tampa, FL Tacoma, WA Falls,Sioux SD and without ads. without and addresses in videos with • The map includes IP IMAGE 36

SELLING “SLAVING” // 38 APPENDIX C APPENDIX TOTAL RAT Bifrost use and How to download RAT Blackshades use and How to download njRAT use and How to download RAT DarkComet use and How to download RAT Ivy Poison use and How to download lowing step by step approach: RAT Ads with Running onYouTube: Videos ERHTR #O EUT ( AE) /D VLDHT % W/ADS (%) VALID (%) HITS W/ADS PAGES) (2 RESULTS #OF TERM SEARCH . Again manually onpages view eachvideo 4. 2 Manually 1and onpages view eachvideo 3. of that come results number the Determine 2. Search for to “How download __ use and RAT” 1. above table The wascompiled by fol- the using

next to or inside of the video. to video. of orinside the next and have at least one advertisement running criteria hit for the ads hadto avalid meet hitwith Avalid ads. with hits of valid number 2of1 and search to results determine the hitread below).valid (for to hits criteria determine a used the valid of of search to number results determine the up for that search term. ,2 3 f3 1 f3 9% 30% 35% 97% 48% 95% 48% 10 of33 26% 100% of40 14 of34 33 100% 19 of 40 of40 38 82% 4,520 19 of 40 40 of 40 2,250 9of34 40 of 40 11,300 28of34 9,920 2,500 040 7 f18 1o 8 9% 38% 95% 71of188 179 of188 30,490 VALID HITS VALID HITS VALID HITS VALID HITS VALID HITS VALID For more to: go not deleted detected and by anti-viruses. or any RAT toolǻRIHEWWSJX[EVIYWIHXSLMHIZMVYWIWOI]PSKKIVW from anti-viruses so that they are lowing hit”: criteria a“valid to determined be crypter-how-it-works.html http://way2h.blogspot.com/2013/02/what-is- According to Way isde- 2Hackintost, ACrypter 5. to alink download Include that a“crypter” 4. 3. to alink download Include Remote Ac- the 2. to “How and use language, the Include 1. ormore one fol- hadto of the meet Each video in the subject line. subject in the on how to download and/or “crypter” the use .RGPYHIWTIGMǻGMRWXVYGXMSRWHYVMRKXLIZMHIS detected onavictim’s computer. Trojan aRemote Access enables to un- go Remote Trojan Access line. subject inthe on how to download, spread, and/or the use .RGPYHIWTIGMǻGMRWXVYGXMSRWHYVMRKXLIZMHIS GIWW8VSNERWTIGMǻIHMRXLIZMHIS download XRAT” itself. video title orthe inthe

SELLING “SLAVING” // 39 ACKNOWLEDGEMENTS many 1 research, this of saw learned and doing we also that we things saw cruel and while For sad the all swering ourquestions: research fortions their sharing publicly an- and JVSRXPMRISJXLMWǻKLXXSTVSXIGXGSRWYQIVW isonthe community security Thecyber expertise. research for their sharing and experts and alysts that wegested ask. hadn’t Hat if“Hemu” sug- student atcollege Black the previously mentioned conversation with the We issue. usonthis educating would not have had Citizens of hackersfor victims before since the Digital the Alliance even existed. advice. and help We thank for looking reachwho media outto viasocial her him for Wolf Cassidy to responds light. tostory RAT victims aswe ourteam inspiration with vided brought this Wolf Mary and sidy for They pro- working us. with ing some understand complicated issues: TGǻEP IH MI S LRXII SVKERM^E XLIWI XLERO XS PMOI [IƶH TIGMǻGEPP] an- we security Also, want cyber to the thank -IQERWLY3MKEQSJ5'PYILEWFIIRǻKLXMRK > > > > to help- expertise shared their individuals These > > > > > > >

and Shevirah Weidman, Georgia founder Security of Bulb Legal Fellow of Law Adam College Rouse, Chicago-Kent PastoreJames Mid-AtlanticWill O’Neal, Computer Solutions Miliefsky, Snoopwall.com Gary Scott Aken Verizon Enterprise Solutions Symantec Nielsen Dell SecureWorks 'PEGOǻRIGYVMX] : 1 acts of kindness. We are grateful to Cas- - gerous individuals pushing malware: pushing gerous individuals work their to protectcussed from consumers dan- for answers: for search inthe deeper alittle usdig helped who Wesearch for report. this greatly appreciate those shared special skills: shared special we from got help talented professionals who PSXI EIJVIIX ǽMP[S HMW [LS SǽGMEPW IRJSVGIQIRX PE[ XLI &PWS > > > > There were some long hours spent on re- Also, when we needed to produce this report, > > > >

University Law School LawUniversity School Students Association, George Washington Green,Meghan President of the Cyberlaw (FBI) of Justice Department Eimiller, Laura at U.S. Relations Press &Public 4ǽGIJSVXLI(IRXVEP)MWXVMGXSJ(EPMJSVRME Attorney’s U.S. Section, Crimes tual Property Wesley Intellec- and Cyber of Hsu,Chief the TransPerfect PhotographyGreg Nelsen Studio FoxDog Lauren D. Shinn LLC Consulting, Outhaul Osborne, Patrick -

SELLING “SLAVING” // 40 ENDNOTES 15 Bogdan Popa, “The Pirate Bay Joins Google and Yahoo Yahoo and Google Joins Bay Pirate “The Popa, Bogdan 15 Holloway, Massoglia, &Dan Michael Andrews, Lori 14 Nate Anderson, “How an omniscient Internet “sextortionist” 13 victims’ hacking for 6years gets “Man McMillan, Robert 12 Nate Anderson, “How an omniscient Internet “sextortionist” 11 10 9 Women on Spy Who Men the “Meet Anderson, Nate 8 Cyber in Arrested 90 “Over Calder, &Rich Hagen Elizabeth 7 Teen USA Miss in guilty teen, “Calif. Goldstein. Sasha 6 at Criminal Complaint 7, 5 Markets,” Hacker “Underground SecureWorks, Dell 4 Coming” It Trojan Had Users “‘Blackshades’ Krebs, Brian 3 Year Rat—Threat The ofthe “2015: Report” Miliefsky, Gary 2 (http://www.pctools. Tools. PC Hacker?” aBlackhat “What’s 1 Websites-Ranking-85905.shtml) Pirate-Bay-Joins-Google-and-Yahoo-in-the-Most-Popular- (http://archive.news.softpedia.com/news/The- 2008. May 19 Softpedia. Ranking” Websites Popular Most the in uploads/4/1/8/3/41830523/digital_peepholes_2015.pdf) Law, Policy and Technology, Webcams: of Activation Remote Peepholes omniscient-internet-sextortionist-ruined-lives/) (http://arstechnica.com/tech-policy/2011/09/07/how-an- 2011. 7Sept Technica. Ars girls” ofteen lives the ruined victims--computers-to-extort-photos.html) cybercrime-hacking/man-gets-6-years-for-hacking- 2011. (http://www.computerworld.com/article/2510927/ 1Sept ComputerWorld. photos” toextort computers omniscient-internet-sextortionist-ruined-lives/) (http://arstechnica.com/tech-policy/2011/09/07/how-an- 2011. 7Sept Technica. Ars girls” ofteen lives the ruined breach-investigation-report-2015-insider_en_xg.pdf www.verizonenterprise.com/resources/reports/rp_data- 'EWIHSRǻKYVIWJVSQ3MIPWIR their-webcams/ breeders-meetthe-men-who-spy-on-women-through- http://arstechnica.com/tech-policy/2013/03/rat- (Mar. 10,2013), Technica, Ars Webcams” Their Through usahacked-again-in-massive-cyber-breach/ http://nypost.com/2014/05/19/miss-teen- 2014), 19 (May Teen Miss USA,” Ensnared that Breach 18-months-prison-article-1.1724809) com/news/crime/mastermind-teen-usa-sextortion-plot- (http://www.nydailynews. 17York Mar. News. Daily 2014. New prison” in to18months sentenced plot, ‘sextortion’ 17, Sept. 2013) Cal. (C.D. 00199-JVS hacking-report.pdf com/assets/pdf-store/white-papers/wp-underground- 2014), (December com/2014/05/blackshades-trojan-users-had-it-coming/ http://krebsonsecurity. 2014), 19 (May Security on Krebs SMiliefsky-SnoopWall_downloadPDF.pdf content/uploads/2014/12/2015-Year-of-The-Rat-by-Gary- (2015), com/security-news/blackhat-hacker/) Verizon 2015 Data Breach Investigations Report Investigations Breach Data Verizon 2015 available at available . 2015. (http://www.ckprivacy.org/ . 2015. available at available http://www.snoopwall.com/wp- U.S. v. Abrahams U.S. , http://www.secureworks. cåƾƐ¥ŇŹīƐ{Ňžƒ , No. 8:13-cr- , No. , http:// Digital

28 Andrew Knittle, “Google claims it makes little money money little makes it claims “Google Knittle, Andrew 28 appearing from ads tohalt seeks “P&G Brunsman, J. Barrett 27 26 Play Google On Perez, “App Submissions Sarah 25 virus Ivy Poison Iremove the do “How Yahoo! Answers, 24 17, (Apr. Remove. Spyware “PoisonIvy” SpywareRemove, 23 Trend 2014” 1H Micro. Roundup: Landscape Mobile “The 22 21 Would How You Have Stopped “Carbanak: Kessem, Limor 20 Alliance, Citizens Digital 19 Teen USA Miss in guilty teen, “Calif. Goldstein Sasha 18 Andy, “Google Blocks Demonoid For Spreading Malicious 17 “THEPIRATEPARTYBAY: THEPIRATEBAY.ORG16 AND THE objectionable-content/article/3873056) claims-it-makes-little-money-from-videos-with-illegal-or- (http://newsok.com/google- 2013. 18Aug Oklahoman. from videos with illegal or objectionable content” The appearing-with-isis.html) news/2015/03/04/p-g-seeks-to-halt-ads-from- (http://www.bizjournals.com/cincinnati/ 2015. 4 Mar with ISIS propaganda videos” Cincinnati Business Courier. permalink/2013/11/18/googleblocking (Nov.News http://www.digitalmusicnews.com/ 2013), 18, Music Digital Pornography…” toChild Related Queries 5EYP7IWRMOSǺƸ,SSKPI.W3S['PSGOMRKIEVGL RS[VIZMI[IHF]WXEǺ[MPPMRGPYHIEKIFEWIHVEXMRKW com/2015/03/17/app-submissions-on-google-play- Ratings” 3S[7IZMI[IH']XEǺ;MPP.RGPYHI&KI'EWIH 2015) 16, July UYIWXMSRMRHI\$UMH"&&W5 PEWXZMWMXIH from my laptop?” html 2009), http://www.spywareremove.com/removePoisonIvy. roundup-1h-2014 security/news/mobile-safety/the-mobile-landscape- http://www.trendmicro.com/vinfo/us/ 2014), 26, (Aug. control_trojan/) (http://www.theregister.co.uk/2014/06/26/industrial_ 2014. Jun 26 Register. The EUROPE” in software control /SLR1I]HIRƸ&XXEGOIVWǼMRKXY\RIXWX]PI7&8WEXGVMXMGEP you-have-stopped-a-1-billion-apt-attack/#.VZGQW_lVikr) (http://securityintelligence.com/carbanak-how-would- 2015. Feb 23 Intelligence. Security Attack?” APT a $1 Billion bb0a-edc80b63f511.pdf) 5E3BD824CF47C46EF4B9D3A76/298a8ec6-ceb0-4543- (https://media.gractions.com/314A5A5A9ABBBBC 2015. Business Ad Online The of Hijacking The and Thieves 18-months-prison-article-1.1724809 com/news/crime/mastermind-teen-usa-sextortion-plot- ¥ŇŹīƐ%±ĞĮDžƐcåƾž prison” in to18months sentenced plot, ‘sextortion’ software-140508/ com/google-blocks-demonoid-for-spreading-malicious- (https://torrentfreak. TorrentFreak. 2014. 8May Software” the-pirate-bay/) PIRATEBAY.SE” TorrentFreak. (https://torrentfreak.com/ TechCrunch (Mar. 17, http://www.nydailynews. 2014) available at available . (Mar. 17, http://techcrunch. 2015), Good Money Still Going Bad: Digital Digital Bad: Going Still Money Good https://answers.yahoo.com/ cåƾƐ . May . May

SELLING “SLAVING” // 41