SELLING “SL AV ING” OUTING THE PRINCIPAL ENABLERS THAT PROFIT FROM PUSHING MALWARE AND PUT YOUR PRIVACY AT RISK

JULY 2015 TABLE CONTENTS OF PROTECTING FROMREMOVING AND RAT RATS OF FUTURE THE ...... A RAT—THEUNLEASHING ART OF SPREADING YOUTUBE ARAT HAS PROBLEM STORIES CRUELTY—“RATS” OF ATTACK THE ON . CHEAP, EASY-TO-USE MALWARE THAT PAYS FOR ITSELF SELLING WHAT CAN RATTERS DO?...... SUMMARYEXECUTIVE REPORT THIS ABOUT TABLE IMAGES OF ...... TABLE CONTENTS OF APPENDICES SUMMARY AND RECOMMENDATIONS RAT REMOVAL ON REFERENCES MORE ENDNOTES ACKNOWLEDGMENTS Dirty Rats: How Into Rats: Hackers Are Your Peeking Dirty ...... Bedroom Appendix A SimpleOne Question: Who Approved This? Appendix B Appendix C “ SLAVING ...... ” ...... s ...... 37-39 40 38 39 29 35 34 33 37 22 10 41 13 31 6 8 7 3 3 II 1 I

SELLING “SLAVING” // i TABLE IMAGES OF promotional videos, please go to Appendix A RAT with for pages on Citizens researchers Digital found advertisements For advertisers index an of the views. of thousands tens of cases, some toin three fivegetting, and years quickly. as are just to from up posted anywhere exposed of we’ve victims faces Also, with videos seen to Unfortunately, achild organization. safety video the ed we’ve down, is taken one more when that seen YouTube. on up longer Citizens report afew Digital down taken was after around March weeks One 2015, here are are that listed from no videos four screenshots of the weAt time publication, completed this the 36 IMAGE 35 IMAGE 34 IMAGE 33 IMAGE 32 IMAGE 31 IMAGE 30 IMAGE 29 IMAGE 28 IMAGE 27 IMAGE IMAGE 26 25 IMAGE 24 IMAGE 23 IMAGE 22 IMAGE 21 IMAGE 20 IMAGE 19 IMAGE 18 IMAGE 17 IMAGE 16 IMAGE 15 IMAGE 14 IMAGE 13 IMAGE 12 IMAGE 11 IMAGE 10 IMAGE IMAGE 09 IMAGE 08 07 IMAGE 06 IMAGE 05 IMAGE 04 IMAGE 03 IMAGE 02 IMAGE 01 IMAGE Video on YouTube: Blackshades NET 4.2 Cracked FREE DOWNLOAD!.mp4 . FREE DOWNLOAD!.mp4 Cracked YouTube: on 4.2 Video NET Blackshades ...... 7 YouTube: on BYVideo Marco-Hacker )Hacked (victim Girl Sexy YouTube: on Video . njRAT V0.6.4 Cassidy and Mary Wolf Mary and Cassidy ...... guys and $1 $5 for for girls of devices the to access Offering Forums: Hack ...... ads without and with both videos on found cities these in IPs Map: YouTube...... Program Partner YouTube: on Video RAT Adwind ...... V-3.0 Dev-Point YouTube: on Video Tutorial HF ...... One YouTube: on Video Tutoriel Torrent411 ...... Spread YouTube: on ...... Video RAT [TUT] Spread torrents on [TUT] YouTube: on ...... Video RAT [TUT] Spread torrents on [TUT] YouTube: on Video YouTube RAT [TUT] Spread torrents on TUT] ...... hackforums.net room, chat From hackers’ Forums: the Hack ...... hackforums.net room, chat From hackers’ Forums: the Hack ...... hackforums.net room, chat From hackers’ Forums: the Hack ...... hackforums.net room, chat From hackers’ Forums: the Hack 6/24/15 from rats" for...... "spreading results search Google ...... email Airlines -Fake American Example Phishing Spear . наказал! себя Сам считами? YouTube: on вблокаду Video Поиграл DarkComet: YouTube: on Video ...... ProSpy RAT basicas -Funciones Video on YouTube: h4ck3r14 Action BlackShades 1/100. YouTube: on BlackShades Video Action h4ck3r14 YouTube: on Video ...... darkcomet on slave with fu----- YouTube: on Video ShadowTech...... RAT action in YouTube: on ...... Video Shoaib_Crunchi By Method Keylogger Predator ...... Dotы вылета из-за ибомбёжка YouTube: -Соплижуй on #11 Video вDarkComet Веселимся Video on YouTube: ...... YouTube: on BYVideo Marco-Hacker )Hacked (victim Girl Sexy ...... ads with videos on found cities these in IPs Map: YouTube: on ...... Video (Full Tutorial) Voice HD R.A.T narration Comet Dark How to setup Video on YouTube: YouTube: on Video NjRaT Victims -. Hack Forums: Ratter advice thread YouTube Forums: Hack ...... to another ratter one from tips for "YouTube" Search Forums: Hack ...... YouTube: on 1...... Video -Episode Pranking Dark-Comet ...... njRAT njRAT XtremeRAT v2.9 ...... HD ...... 30 36 38 20 20 20 26 26 28 28 24 25 25 23 27 27 22 10 16 16 19 19 14 14 15 15 13 13 21 21 21 17 8 9 3 -

SELLING “SLAVING” // ii ABOUT THIS REPORT THIS ABOUT tect you from Ebola. tect you from Ebola. promalware will vaccine polio anymore the than it won’t program, rus protect you from zero-day anti-vi 2013 a having off better still are you While to protect ourselves. needed don’t have tools the consumers are We outgunned outmanned. and b a ofdevelop malware anew generation to talents have some their but used things, good to images freely. and share thoughts allow that us applications and through technology innovatorsthe have who break developed the of because off better all are commerce—we and revolutionized Internet has The creative thinking ing toing Internet breach security bypass or try (someone hats black the with up keep that to applications developare security struggling toresources develop skills. need they their the find to networks nefarious more as well as nies - compa trusted hackers relythese established, on ture We to built hackers. tocater aspiring saw that Wetools. found increasingly an sturdy infrastruc went for and howlooking ideas arethey sharing disrupting the lives of families across We America. agrowing of subset posal, hackers—or ratters—is dis at weapon their this With young adults. and is agrowth industry. es, nately malware, it caus making disruption the and

at http://www.urbandictionary.com/define.php?term=script+kiddie available Kiddie, Script Dictionary, own.” Urban your of skills having implies generally "blackhat" term; this with them dignify to even refuse most but ablackhat to be aspires route this follows who anyone “obviously and work” they how to learn to bother refuses and hacking, his conduct to ("scripts") files and programs exploit premade on relies who as “one kiddies script defines Dictionary Urban http://www.microsoft.com/security/portal/mmpc/shared/glossary.aspx at available Glossary, Gallery, Protection Malware malware.” of Microsoft, types all are trojans and worms Viruses, spam. to send PC your use or aransom, pay you until PC your lock details, banking your steal can malware Some information. personal your stealing as such PC, our on actions unwanted perform that programs for name general The software. malicious for “Short as “Malware” defines Microsoft creators of digital want to majority do vast The The white hats (a.k.a ethical computer hackers) computer ethical (a.k.a white hats The That malware of teens into hands the is getting a . Unfortu . 1 ). We the ------semi passed through. semi passed were a as unfortunate to just “data-bahn” cross the that kill” like “techno-road almost sound people of make ratters enablers real principal The tainable. Internet safer, the making smarter, more sus and censorship” to down shut any conversation about advocates screams with ofconsumer “Internet lowing actors to bad against thrive. back They push for al accountability byened—simply demanding could threat be of opportunity new land the as Internet’s believe the fearspotential who of those howfrom to sharing spread malware, stokes the profits which faction, This community. technology the within faction well-financed and vocal, a from decency. aboost get and ratters hackers and The and script kiddies hats black to the stop resistance, anything to doing apathy, we when see moremuch shocking even Trojans (RAT) Itmakes it that to prey innocents. on by hackers, “ratters” or Remote use Access who fooled and who’ve scammed, tricked, people been to great danger.girls, and consumers, particularly young women and exposing spreadenablers businesses help tools these platforms, on pushed products the ignore actively they hackers simply or assist Whether eos. vid cat or singles hit than different click-bait—no form of another malware-making in is just lessons and tutorials them, To clicking-fingers. itchy with by desire to together the draw viewers in bound hackers—a of the enablers cabal principal the ignore can’t We floodgates. the over rushing ists terrora product cyber hackers of dangerous and In our research, our In we’ve of young faces the seen We is not just realize must moment perilous this b leading this attack on privacy privacy on attack leading this , - - - - -

SELLING “SLAVING” // 1 have asked mali question—how one do these Ivy”,like “DarkComet”, “Cerberus”, “Poison and we told who student us we investigate should RATs we trust. know and companies crippling and devices, terrorizing our infecting citizens,ratters our hope this report will bring increased scrutiny to the It is our possible. attacks these making enablers pal princi the and malware, attack, under victims the deploying attackers research people—the is about this story; of the are only materials part malicious The slave devices of girls. young the womenand not even apenny—from malware sharing to used scribe the taking control of another user’s device. to de term used world. is the Slaving around the ers “slaving” devices of consumers and families freedom,” to hack adoor even opening if it means Since Black Hat 2014, where we acollege met Hat 2014, Black Since money—We making be should business feel no To them, there is nothing that trumps “Internet anyplace on Hack Forums Hack could on you,anyplace put your device, crosshairs of aratter. your the in and data YouTube many on of these seen links on Clicking quate expertise. protection and to and pages research. We its during to research strongly ade this replicate urge without you that not do try safeguards and tools up-to-date with workstations Citizens specialized researchersDigital used A WARNING TO CONSUMERS - - - - to the hunted. hunted. to the Trojans, hunters the connecting enablers the and ing” RAT. of kind specific each on details of Remote Access Trojans history the on more and ratters’ the in traps. caught real people of images and stories with experts security cyber these of findings the complement to hope our is malware It valuable learn from insight. and their were researchers fortunate with studying to speak We illuminating. and devastating is both nizations leave their traps. and findthelandscape right platforms on which to how digital to through the maneuver understand er, the pushers of these dangerous applications malware of the skill the design just is more than it that see We victims? many so to get files cious Digital Citizens is preparing a separate report Citizens report aseparate is preparing Digital orga- research security fromThe cyber coming looks at the victims, the ratters who push these these push who ratters the victims, at the looks Selling “Slav Selling - - -

SELLING “SLAVING” // 2 EXECUTIVE SUMMARY EXECUTIVE the entire year.”the my for mind never Citizens. “It passed told Digital not one clue of having someone watching me,” she had “I it aharrowing was prison, experience. federal hacker,to the to sentenced arrested and was who Even Wolf Ms. bedroom. though bravely up stood privatetook and pictures her in webcam of her ahacker control took after computer’s of her tion Wolf,dy of attempted extor victim the was who to spy you on your in it’s own And easy. home. your computer, atool become hacked, can when is a window er into on your private life. camera The world. what you But may not realize comput is that maybe even and youto wake bed when up. your before email check or you go Skype on friend there you may watcha with talk a movie Netflix, on from And even or yourin your bedroom, on bed. you’reIf atable on your people, sits like laptop most PEEKING INTO YOUR BEDROOM RATS:DIRTY HOW HACKERS ARE Take of Teen 2013 Miss case the Cassi USA That is awindow computer into your digital

- - - to children’s our bedrooms. access selling are they effect, In online. formation in that boys—and selling and then of young girls to “slaving,” take overlooking called computers, the are they but actively Internet users, unsuspecting not merely malware hackers that are on peddling websites.miliar are they and old more- unfa is high apt on to click thresh risk their because target are easy users an to Youngers malware threats. other and Internet sites found many us has that expose content theft For Citizensprogram. example, Alliance Digital the awebsite, on ad by or downloading acomputer website, online an out toing unfamiliar an checking Trojan,cess RAT. or a Remote to Ac deploy is called use easiest and of Internet today Trojan kind the is some the and tocess acomputer. a computer—aon to ac gain used program or virus malware with Itstarts it is is. how easy aspect bling And that is where it gets even It’s is where that more it gets troubling. And How you do malware? get by times click Often Approximately 70 malware percent of the all on trou most happen? The such athing How can had 1,361 views. 1,361 had video this screenshot, • ad. Chevrolet a was moment a private capturing video to the next bedroom. Running man together in a woman and a young showed a young • 01 IMAGE At the time of this this of time At the This YouTube video

------

SELLING “SLAVING” // 3 some troubling trends: and technically simple to use tool previous research RATs that are inexpensive an these results, we confirmed findings fromothers’ any to RATs malware. the interestedone obtaining in From offering people found we web, clear > Citizensfound investigation Alliance A Digital sites (i.e., The Pirate Bay, The sites (i.e., Torrents, Kickass and theft” YouTube“content that and saying ratters We practices. capturedbest multiple chats with > boysfor more than devices sold Girls’ consumers. on attacks cious mali their from money making thereby and es Forums, > to forward. come ashamed and Trojan are scared victims often because attack, aresult “slaved” as of aRemotebeen Access to know how many people’s have computers Itis difficult complythey aratter’s with demands. release the pictures to wider audiences unless arethey unaware threaten then to hack, of the when take pictures girls of the bedrooms, girls’ in frequently ratters The take control ofes. devices devic owners of the the to use “sextort” then can they privatewhich devices, informationthose off Fromdreds of devices. there, gather they can problem. 1 in > > > > > ➢Using popular search engines to scour the the scour to engines search popular ➢Using ➢Also ➢Also on Hack Forums, ratters shared tips about Hack page chat hacker popular the ➢Using used RATs that confirms enforcement Law : 1 attacks against consumers are a growing we found ratters selling slaved devic slaved selling ratters found we It takes ratters little time to slave time little Ittakes ratters hun . . - - - - - to catch animals. to catch animals. left traps like sites theft content on left are rials PDFs. These mate and links like malicious rials to mate build deceptive like Pirate t411 Bay and sites known content use how theft can ing ratters RATs. We found YouTube demonstrat tutorials for how on tips to looking spread kiddies script ratters recommending content sites theft to > fromenue Google. rev to acut get of areratters advertising poised program, of revenue partner the Using for ratters. YouTubetutorials, stream provides another also to to these remain next allowingBy advertising innocents. target that tutorials malicious these to revenue get of positioned sharing from the YouTube’sgames. parent company, is Google, evenand to New tickets York Yankees’ baseball included well-known cosmetics, companies, car videos. the alongside running advertisements RATs had best-known > dozens of other countries. totentially and devicesstates 33 in connected and IP addresses faces victims’ showing deployed successfully download the malware; RATs; spread and use could ratters where links and examples many showed that how included to tutorials of RATs Tube, of RAT we found The thousands tutorials. > to “spread” RATs. places weremusic) best the and movies provide sites that unlicensed other > > > Roughly 38 percent of the tutorials for the the for tutorials the of percent 38 Roughly ➢Also on Hack Forums, we➢Also found experienced ➢ You on searches of months eight almost ➢In . We po found addresses IP The advertising we found advertising The ------

SELLING “SLAVING” // 4 gation, Digital Citizens recommends: threats. the about parents tell their to afraid or may who feel ashamed young people it preys vulnerable— And most the on homes. our in wethat have should of security sense ter when the change the way it approaches this issue. When > victims. invading of privacy their the for illegally hackers punished is seeing terrents de of computer-related best of the One crimes. sources to increase regulation and awareness > are compromised. computers prehensive about letting their parents know their Citizens found are investigation teens that ap Digital nervous. or uncomfortable makes them behavior know if to any to come online them let and children safety computer them about > programs. sketchy websites downloading or ads and unfamiliar on clicking to when exposed be threattial can they poten to the young people and parents alert > it? about From done be what can investiSo our is agrowingThis problem threatens that to shat > > > > A solution exists, but it will require Google to require it but will Google exists, A solution re additional That law enforcement gets pre-teen and teen their with talk That parents to programs awareness of creation ➢The ------sonal privacy.sonal to point invadeis unwelcomenot an per our entry world ensurewe window to our that digital can our law enforcement. we If on, confront head issue this groups safety young and Internet users, of parents, nity, problem this is likely to more get complex. therefore and of technology opportu tion criminal and punished. And given the increasing sophistica caught don’t they get that so are on ers counting hack That is what the rug. the sweptnot be under To stop the hackers will take a concerted effort effort concerted a take will hackers the To stop can that issue is aserious this is clear: thing One and sufferingpain the theycause. be can’t worth revenues ad and bait from tutorial slaving videos click- not should be victims These platforms. eo such vid on advertising immediately cease and a team human assign to reviewing videos these should Google protection. and concern same the Play. Google deserve on apps victims Hacking of to and quality ensure the child pornography for of search queries block tens of thousands clearly in human Bringing teams can’t. helped team to ahuman algorithm what do an assigns solving aproblem, about it is serious Google ------

SELLING “SLAVING” // 5 WHAT RATTERS CAN DO? plains that ratters can: ratters that plains 2015: Year Rat—Threat of the Report report his In SnoopWall. firm security app mobile the of Officer Executive Chief now is and Security founding member of of the Department Homeland a was Miliefsky S. do. Gary can do, ratter the can ing through filesthe userhas stored—whatever you into malware downloading the gets onto adevice. ments, photographs, videos, and songs to trick tar docu as disguised be can that code are malicious tool is a RAT. of Trojans, kinds six of the One RATs slaving popular most and simplest the Perhaps The term “slaving” a computer is no exaggeration. Remote Access Trojans include: project this in studied THE RAT WORLD service (“DDoS”) attack. (“DDoS”) service > files;and audio > > > files; and emails, > tentially even ahard clearing drive completely); > device’s sift the or it is using functions Whether > > > > > > » » » » » » » » Use your computer for a distributed denial of of Use your denial for computer adistributed save and your on in L➢isten microphone Watch save and your videos; webcam Watch log your and keystrokes; you type ➢ Steal credit passwords, numbers, card delete➢ Download, and upload, your files (po » » » » » » » » Carbanak Bozok Worm Black Blackshades Bifrost Orifice Back AndroRAT Adwind » » » » » » » » » » » » » » » » Havex Explosive Dyreza / Dyre Dark DDoSeR DarkComet Cybergate CyberRAT Cerberus , Miliefsky ex , Miliefsky

- - - - - dental accomplice.” dental RATS, you’re not only you avictim, are acci an Zero-day you of infected get these “If one with said: Miliefsky As to fall. password could next be credit and cards, private emails, book, address office’sresources. your and network tocorporate ratter lead the the to jump your The company’s could computer hind. workyour and devices are tablet, phone, be not far computer, your has personal ware. someone then If mal other RATs and “spread” to effort ratters’ a in slaved device. one with Your step one device is just tating strikes corporations. against U.S. debili and embarrassing the of many off pull to corporate allowing espionage missions, hackers RATs adversaries. their in are frequently used attack and to target of democracy by enemies of used war aweapon favors.ual They are also for and/or money exploit them then and en, sex to spyexpensive frequently tool wom on used Once in command of your command devices,your in email Once stops seldom A ratter item is important. last This Making it simple—RATsMaking to in use, are easy an » » » » » » » » » » » » » » » » ProSpy Predator Pain Ivy Poison RATPandora njRAT Njw0rm NanoCore Kraken 2

» » » » » » » » » » » » » » Xtreme RAT Trojan.Laziok Sub7 Sir DoOom RAT Snake ShadowTech Regin ------

SELLING “SLAVING” // 6 SELLING “ SELLING c dow or pick a door lock to steal your financial infor yourtofinancial locksteal door a pick dow or to break awin need doesn’t who criminal the stop to designed have security up-to-date most the firewall a onlya hacker). with of usarmed those What about even (and to often, stop isn’t that enough security finest the for pay to resources the have ernments even average families. But corporations and gov and leaders, political devices slaved—corporations, have who ofThere are victims kinds all their had

outgoing network traffic based on a set of rules.” http://searchsecurity.techtarget.com/definition/firewall rules.” of set ona based traffic network outgoing and incoming controls that software-based, or hardware- either system, security TechTarget asnetwork “a firewall a defines manySo visitors have come 37,000 almost privacy times. peeping toms have violated her identity. Unfortunately, virtual made, was to video protect her this when ateenager just was we who believe girl, of the We have picture blurredthe FORUMS, DIGITAL CITIZENS ALLIANCE HAS OUTLINED IN RED AND/OR IN OUTLINED HAS CERTAIN MAGNIFIED DIGITAL ALLIANCE CITIZENS FORUMS, ELEMENTS. IN ORDER TO HIGHLIGHT PORTIONS OF THIS AND OTHER AND HACK AND THIS SCREENSHOTS YOUTUBE OF FROM PORTIONS TO ORDER IN HIGHLIGHT c and anti-virus program? and Families don’t SLAVING ” red boxes circle. and of Much cludes three ads—inside the to visit. coming to those dries tofrom to computers cars sun to ads pitch everything selling YouTube that at her to peek is This particular video in video particular This - - - stand-alone weapon used in a1 in used weapon stand-alone porate espionage and economic disruption, or a They of may cor atool for be er’s amission toolkit. newest Trojan. akeyboard only the He and needs password lists. and familymation, photos, well as your as contacts kiddie” on a high school classmate. school ahigh on kiddie” RATs hack askilled in avaluable be piece can - - about their victim. their about said ratters of what these part 17 page on where we include story, of the you as see part will picture The is only video. the hackersposted who the and YouTube between split be can revenue ad the from post this video with the world. world. the with video the shared then and girl this of bedroom into the cam, someone broke • 02 IMAGE By controlling aweb controlling By : 1 attack by a“script attack 1 -

- -

SELLING “SLAVING” // 7 THAT PAYS FOR ITSELF CHEAP, EASY-TO-USE MALWARE keted there. it If is free, it is likely version older an mar downloads RAT free find can YouTube, you Wolf. of Cassidy story the about patience.” Remember that point when we tell foundresearch: our in wethat “It’s point also ical it’s really not,” acrit made Miliefsky, then who said attack, sophisticated is avery say this people when network, most have the same vulnerability, and paper bag.” wouldn’twho know how way to their of hack out a a tool created marketed for and principally buyers RATs, popular most of the one “was Blackshades, blog,wrote KrebsSecurity, on that popular his in Krebs Brian expert Security use. acquire, and find, to is easy software malicious dangerous, This As you see in the screenshot (image 3) from 3) (image screenshot the in you see As office the or computer family the it’s “Whether 3 - - of of forketplace RATs co-author Rudis, take root. Bob able to the general public sent prices plummeting. utilizing these things.” for to low entry There is avery barrier tool. the ing customiz help not get only but tool, and order the cases, some in portal actuallyion—it’s slick apretty Amazon-like fash avery in tools, to order these where have they ability for the both cybercriminals says “there is an entire economic segment basically SecureWorks $250. Then, according to researchers from Dell and $50 between cost Blackshades and Comet It wasn’t always easy. that RATs 2013, In like Dark many RATs $10 found for be between $50. can of and versions modified or Updated malware. the of Verizon’s Verizon’s And cyber security analysts have seen the mar have the analysts seen security cyber And 2015 Data Breach Investigations Report Investigations Data2015 Breach 4 , leaks making the source avail code the making , leaks the video. (French for download) could “tèlechargement” they where alink on viewers could click • 03 IMAGE Below the video, video, the Below

- - - - - ,

SELLING “SLAVING” // 8 Blackshades. He Blackshades. got a firsthand look at the pushers behind brought that down cabal the sting ment R.A.T.—the law enforce Dirty multi-national eration ing their bedroom.” leav without how online to aprogram implement targeting victims findcan what theyand need learn in interested “individuals said Office, Field Angeles ratters. Laura Eimiller, Press Officer forthe FBI’s Los like a customer for department service would-be something as functions like Forums, which Hack found YouTube on chat via rooms direct contact or tutorials in advice by sharing to help—either willing are there ratters program, of other plenty the with struggle they If asingle in sitting. ofens victims guys for for and $5 $1. devices of girls of a Hack Forums offering participant access tothe RATs (as of 7/22/15). 4shows example Image one creating, spreading acquiring, and discuss that hacker.”the posts million There are 1.5 more than of voice “the find to Forums Hack site chat hacker Citizens popular researchersDigital the visited to make quickly is great. money aratter as portunity James Pastore was the lead Pastore prosecutorJames the was Op in day doz get on that one, can aratter Consider is low, to cost started while get the So op the - - - - - cure way days impossible.” these but is all acompletely in technology using se shameful; or You of attacks. stupid haven’t anything sorts done how even security researchers fall victim to these for to know victims how prevalentis important it is, it it involves Ithink images. or videos compromising when “There’ssaid: alot it, in particularly of shame RATs. using attacks after individuals and nesses She busi helped has She source of the attacks. mine discover what if stolen, possible, was and, deter control to in breaches, help called been has man the mobile security testing startup, Shevirah, Weid and Security of Bulb er. Owner and Founder the As Weidmanhack Georgia ethical is an attacks. these of RATs.” types these using my experience—is that—in population to due the part large is in that think I and game-ified bit a becomes It victimized. are there are that real being people because shame it’s they’re And that a harm people. on imposing or aren’t mature enough to comprehend, the real hind a keyboard. They maybe don’t . . . comprehend, are they be because of bit adistance alittle also Citizens: it, but about “There’s of meanness akind attorney an private in Pastore practice, told Digital Now spawn. of malware helped they ratters the and Victims often struggle with damage done from done damage with struggle often Victims (as of 7/22/15). and spreading RATs acquiring, creating, to dedicated posts 1,536,431 site contains the rums’s own figures, Fo to Hack According • 04 IMAGE From hackforums.net.

------

SELLING “SLAVING” // 9 STORIES OF CRUELTY—“RATS” ON THE ATTACK Photograph by GREG NELSEN Teen Miss the in competed pageant. USA ifornia Teen, Wolf, Cassidy before months just she Cal world Miss reigning of online the ofmuch the a mysterious clear controlled made he that ratter was there could attack, amassive In to she do it. stop nothing and eyes her of front in right fire on lit were profiles media social Tumblr.Her Instagram, Facebook, passwords on her Twitter, changing cally similarsee warnings that someone was systemati ahalf-hour, about just in But would friends. Cassidy evening an with Fullerton, in California spending password.” my changed Ijust So amalfunction. maybe it just was Ithought it. too of much Isaw think Ididn’t that, when “So said. to log into tried my had from Utah account,” she cation on my home page telling me that someone “I - notifi a like just had tomyI wentFacebook on and right. not was something warning first the bers Wolf. Cassidy named fornia teen of aCali story is the dreams danger and in hopes of how best-known RATs the Perhaps story put can That was on March 21, 2013, while Cassidy was was while Cassidy 2013, March on That was 21, Wolf Facebook. with Cassidy remem It started - - - - a pornstar.” . amodel of being “dream her . . being] into [Cassidy comply, didn’t she If would he transform said he to wanted her make he ing asexually video. explicit bedroom.” her (from) Wewere email. the in could tell exactly werethey wentof your There up. were neck pictures that the back you the on hair scrolled down the that’s when as then of tons you.or And of pictures videos and lots post aword was there will but dreds, there—I wordpost—and if the hun was Idon’t remember Iwill what Isay else or “do told which Cassidy email, stolen had fromhe Cassidy. private of the moments to collection his use tended conversations, and monitoring He now emails. in taking pictures of her changing clothes, listening to been He’d for computer trol months. of Cassidy’s hacker slaved, con had the been had computer The hacker wouldThe onto go threaten Cassidy, say Cassidy’s mother Mary described the ratter’s first her that clear was it time first the was this While 5

• IMAGE 05 Cassidy and Mary Wolf Mary and Cassidy - - - -

SELLING “SLAVING” // 10 hurting me more by not having it. The first month, month, first The it. having not by more me hurting it saw only I and media social have to figure public a as really my just with job, important it its helps is really for my media important, me cause social powerthe to take away like that? Be something why would that? I do Why would I give someone I realized, then And online. I that had ly everything Facebook, myagain, Ideleted serious Instagram, Iwould Ithought never and havescared my Twitter didn’t stay down. “At first, Ideleted I was everything, awoman,man, achild, you couldn’t just tell.” store. We know Ididn’t cery if it a was idea. no had to gro at the next standing Iwas somebody was know Ididn’t if it down block. know lived the if he I didn’t clock. around the came threats his it and kept he saying because coming was he thought “I aday.” times 40 me have emailing guy this mybe life forever,” gonna Iwas “That said. Cassidy years old. 12 just was of harassment his targets of the One women. naked photoshopped her friends’ faces onto pictures of toto comply. pressure Cassidy stalker cyber This he hacked into her friends’ accounts, urging them and preparing his attack. When he didn’t succeed, pictures accumulating tos time showed spent he of pho Cassidy. humiliate library His and expose post the photos, including one video designed to did ratter The FBI. the called she Instead, demands. The RAT knocked Cassidy offline briefly, she offline but RAT Cassidy The knocked really“I for sleep didn’t months,” Wolf Mary said. gonna was this that idea the gotten had kinda “I not give did into ratter’s sextortion the Cassidy - - - - forcement, news outlets, and other young women. law en with experience the about to on go talk and Teen Miss would title becoming the win 2013 USA spoke out.” and up now advocate. an stood She She was she a victim, longer no was Cassidy moment, evening. that “At to audience international an ry that to him.” stop I’m gonna and me stop guy let looked at I’m this it not as Ijust gonna time. at the away of drive any towards I had that type my goals satisfaction of seeing and me seeing hurt him take any power over my life. want Ididn’t to give any him want it, Ididn’t to about give out by Jared speaking that Ithink So situation. this in pictures, avictim Iwas pictures these took purposely for or these posed Teen Miss of never the “I stage the pageant. USA to bidding. his do them commanded forced into while Abrahams recording sex acts were Some world, victims. manythe as 150 as with young womenaround and devices ofing” girls the He, “slav was alocker fact, in with downhall. the girl admirer of a sick more was the than Abrahams But classmate. school ahigh Abrahams, James me.” from away ized power only Iwas that him that giving by taking what Iwould do. Obviously Igot over Ireal and that don’t know were Ihonestly if this again to happen gosh my oh thought I Because it. got first I when it toon back go scared I was to it. use scared I was Mary Wolf had no idea Cassidy would sto Wolf tell her Cassidy idea no Mary had on publicly story her told first Wolf Cassidy to months capture three Jared almost It took 6 - - - -

SELLING “SLAVING” // 11 leads to others.” tions, one successful investigation or prosecution true in other kinds of prosecutions and investiga “As question: askedthat who told is often reporters UnitedManhattan States Attorney Preet Bharara arrests? the in play a part actions Cassidy’s Did RAT. developed the who masterminds two of the were as the Blackshades, 100 hackers used who about malwareabout to while brazen programs enough are who knowledgeable ly more individuals with malware.of insidious form this against fight of this front the lines on from people perspectives three We of ratters. rise rapid have the about concerned prosecutors who work these cases are increasingly forcement findingthe photos. The investigators and if not for victims law en never these know about world The silent. would victims fear and the keep we which never about hear. shame That’s because like more hers stories are there fact, in thousands online. back be will Abrahams Jared James soon, point At some December. this out be He’ll term. prison 18-month tively rest of the your life.” impact - nega or you define to have doesn’t this like thing for to know victims some that it’s important think yet I and went she through this. accomplishment, her about page a Wikipedia with successful and lives are over. their that ing Wolf Cassidy is beautiful alone, often think and feel rightly violated “Victims Weidman. avictim,” to admit being Georgia and said Cassidy’s voice. of are safer today girls young because womenand In the summer of 2014, the FBI arrested nearly FBI arrested nearly the of 2014, summer the In RT tak o idvdas r goig rapid growing are individuals on attacks "RAT but about, to is painful talk story Wolf’s Cassidy an is now serving Abrahams For crimes, his all up to brave did stand she it is a very thing think “I 7 It is impossible to know Itis impossible how many - - - - - above others—YouTube all sites. content and theft We two tools craft. found utilizing ratters their tice looking for places where ratters hone and prac problem, of the we scope of went the asense With slaving is increasingly prevalent and dangerous. hat hackerswhite alike black convince hat and us aRAT that of in.” cases used be types can for the limit the you but computers sky’s know the talked about going after young women and their we’ve Imean to of crimes. any do number criminals RATs allow they the are interesting an tool because prosecute.we that that I think can But something we’re that thing it’s hopefully more to and see going RATs: about said Hsu port. itthat is some think “I re more we this in later who discuss will Mijangos, RATs, of using accused individuals Luis including several prosecuted has office His Angeles. Los in California of District Central the for Office torney’s At U.S. of the Section Crimes tellectual Property for evil.” used now being is and for meant originally was good that nology tech want that the to abuse people the to after go They don’t have manpower enough. the en’t trained ar People changing. it’s as fast as stuff this with up to keep game of the stage at this isn’t equipped just the script kiddies using RATs. “Law enforcement resources the to hackers, including with up keep have doesn’t enforcement law said He years. five victimized." becoming avoid they that so is important potential targets and parents problem, ofis whyout this which educating law enforcement. We’re to way arrest our not going local and state, offices, federal other including not That’s Los in just Angeles. multiple in cases victims them,”use Eimiller. said “We’ve of hundreds seen The observations of victims, lawmakers, and Wesley In and Cyber of Chief the isHsu the for agent more Aken than FBI cyber an was Scott ------

SELLING “SLAVING” // 12 YOUTUBE HAS ARAT PROBLEM tising running alongside them—meaning YouTube, offer: which videos, of thousands find YouTube to search to easy is It And yes, many of these videos come with adver with come yes, videos And many of these touse slave devices. > and, of victims; addresses IP and faces the with > to devices; other > > > > links for to ratters downloadlinks RATs can they examples of successfully deployed RATs, how on to RATstutorials use spread them and - prey atop fireplace. the of way their head the much the ahunter hangs for to others view, conquests successful their young children.en Ratters YouTube use to post how and/or invade they bedrooms strating fright demon ratters with many finding YouTube, on eos creepy. of ture proselytize cul who ratters it with their sharing es cas some in then and money is making Google, or Researchers scoured hundreds of tutorial hundreds scoured vid Researchers had 12,932 views. had video this screenshot, • 06 IMAGE had 6,200 views. 6,200 had video this screenshot, • 07 IMAGE At the time of this this of time At the At the time of this this of time At the

- - - - -

SELLING “SLAVING” // 13 frightened with scary voices or unexpected visuals. visuals. voices unexpected or scary with frightened openly laughing and mocking the families they’ve ters themselves as they celebrate their conquests, rat from the track audio additional an or captions Many of these videos include other on-screen - how to interrupt and terrify the young mother as out figure ratters the watchedbaby. Anderson her while on computer feeding her a left woman who found he of video Technica,of Ars one described editor deputy Nate Anderson, freaked families. out how gloat they about rorize then and victims their The perpetrators of these scares want to scares ter of these perpetrators The had 44,426 views. 44,426 had video this screenshot, • begins (highlighted). RAT the “scare” of victim the where code time to the • 08 IMAGE ing users will download it." download will users ing unsuspect of Thousands RAT. to your link download onto YouTube the with song remixed the upload RAT. your with file Now YouTube: the "Bind .mp3 on post in a shared files to how mp3 on use tips ratter, the offers wagob, from suggestions the of Youtube.” and One Reddit on ways to Spread Unique “4 titled exchange Forums aHack from comes • (as of 7/22/15). registered members million 2.8 than more has for room hackers chat This • 09 IMAGE At the time of this this of time At the This video directs viewers From hackforums.net. This portion below below portion This

- -

SELLING “SLAVING” // 14 YouTube. ForumsHack it is how to easy spread RATs through of on found examples plenty of discussing ratters controllers . . . toying or victims.” with pranking, RAT showing videos of other thousands with along aren't incident the hardThey're to find. on YouTube, computer. story, his wrote: In of Anderson “Copies her on images disturbing and bizarre flashed they It is no secret amongst ratters. Researchers 8 their back doors open. doors back their around leave aroad that to map houses passing hackers is like thieves between sharing This enue. gramming—or another vehicle for advertising rev YouTube, are to reduced consumers pro these On people. of vulnerable like amenu almost lists scroll world. through these Hackersaround the can provide addresses IP the of any of devices number addresses IP the of slaved devices. YouTube videos a ratter’s control included center with videos the Tube at Many ratters work. of demonstrating videos Digital Citizens researchersDigital found dozens of You ING HELP.”ING “SPREAD titled exchange Forums aHack from taken • • 11 IMAGE been banned once.” many videos and I’ve never so Ihave success. extreme aRAT, with ed have you’ll - bond program alegit have you If banned. got why you know Idon’t successful. extremely to be youtube • • 10 IMAGE “Gamingz Wrote: “Gamingz Ifind From hackforums.net. From hackforums.net. The portions below were were below portions The minutes of work. that takes maximum 3 week using this method a 50 clients least at Awdr: Downloader’… Video a‘Youtube is need you all bet, good Awdr: to spread.” methods good some with advice looking for detailed a____ninjauk: You can expect YouTube a is “I’m now now “I’m - - - -

SELLING “SLAVING” // 15 RAT infestation problem. agrowing has America 13, image in see you can d YouTube to across devices America. cities in of IP addresses is imperfect and can be masked. be can and imperfect is addresses IP of location geographical The Internet. the on is that address IP any using system hacker’s to the back to connect try will system the system, your aRAT once However, infects case, any in 2013. before posted videos from numbers IP use we didn’t reason, this For change. will address IP your ISP, an from possible is it device anew get move or you If posted. was video the time the at necessarily not research, the of time the of as were located addresses IP the where researchers our tell tools location IP YouTube. on now RAT in tutorials shared The numbers IP the with devices of locations current the determined researchers Citizens Digital (www.networksolutions.com/), Solutions Network and (www.iplocation.net) location IP websites the Using on exposed IPs the researchers pinpointed Our d As As we included at the beginning of this report. of this beginning we at the included screenshot apicture the ofincluded avictim—like were that those popular of views; particularly sands tensresearchers with of found thou many videos Sadly, people are coming to these pages. Our Sadly, Our pages. are to these coming people an ad for Starbucks. Mexico. The video includes States, Turkey, France, and vices located in the United de including world, the puters in countries around com for addresses IP find • 12 IMAGE ads, see Appendix B. Appendix see ads, found in videos without devices slaved of amap as well as cities, these of a list panied by advertising. For on YouTube videos accom shared devices slaved with • 13 IMAGE This is a map of US cities cities US of amap is This In this tutorial, you can can you tutorial, this In - - - -

SELLING “SLAVING” // 16 anyonerape." from profitingfromdigital this to prevent asociety as and industry an as a stand RATs pushing or We take must neighbors. to their attacks DDoS are bitcoins launching tims or mining ten they are being victimized. These innocent vic may of not them evensome aware be of how of and are pins people “Those of Justice. partment De for U.S. crimes computer child the and online prosecutor federal aformer against and Blue SSP of Officer Executive Chief Nigam, Hemanshu said videos,” crime of these sharing tosteps the stop take and compass moral their change companies “There will be more pins on the map unless unless map the more on pins be will “There - - - RAT, computer. to her access “Bifrost”, is using ratter the awell-known see also We likely was she we Australia. in can determined From watched. is being address, she IP idea her no with like a bedroom, whatin looks paper a class Hacked BY on shows working Marco-Hacker” her That YouTube ) (victim Girl “Sexy titled video, most. usthe picture concerned the that in face it the was but other. IPs, several U.S. It included It was that video that haunted us more than any usmore haunted that than video that It was • 14 IMAGE early 2015. early and late in 2014 brands trusted well-known, other American Express, and for Acura, ads found ers Digital Citizens research Citizens Digital -

SELLING “SLAVING” // 17

id”, what we actually that videos demonstrated or how were to many see videos “val query each for results search of pages two first the through RATs on news stories We items. other and went To hits. fair, be 30,490 items of include those some njRAT, DarkComet, shades, Ivy. Poison and We got RATs—Bifrost, Black recognized most the of five ______use load and YouTubesearched RAT.” term “how to the down using We with blank the in filled researchers Our practice. is acommon videos year, nearly four it posted. was years after family. down her March in of came this video The if is there athreat and togirl the to ascertain tion child organiza arespected safety - with video this world.” repeatedly her timizing front in eyes of the of the allowing it to shown over be over and is re-vic and rights of her is aviolation This rape. is digital “This video: the about said Nigam al commentary. YouTube the in discussion the video: of Citizens atranslation get did Digital sPerfect, Advertising running alongside these ratter Citizens information about the shared Digital sexu crude included rest translation ofThe the With the help of the translation Tran service TIME CODE TIME 0 2 2 1: : : : 08 58 55 15

ARABIC TRANSCRIPTION ARABIC

------paid to purchase the ad space. space. ad to the purchase paid Acura, American Express, and other advertisers of whatever a portion gets bedroom girl’s of this this case, the person who posted their invasion revenue In from views video. of is generated the to acut get eligible ofmakes whatever them ad for YouTube up the signed Program, which Partner has video “poster” of the the Ads show when up YouTube Not all space. have videos advertising. pay YouTube’s for ad parent Google company days ads. 34 to view 11,586 for channel abroadcast on programming network Youis 11,586. would have to watch of hour every C). search, tothis go Appendix on details (to the video see the alongside running RAT valid cent of the advertising some had videos per haveat 38 how all, In videos many valid ads. we looked invalid videos, we the Once eliminated for—howsearched to ______download use and RAT. Companies like Companies Express Acura American and To percent of 30,490 38 perspective, in that put ENGLISH TRANSLATION ENGLISH hahahahahahaha (laughing sound). (laughing hahahahahahaha . astonished Iknow so I wish why looks she . . to do. supposed guy what is the like is naked, that abody when Imagine naked. saw her I just far. I’ve so had victim is quite clean, She beautiful most the is seriously girl This (laughing sound). hahahaha like athief looks guy This 9

-

SELLING “SLAVING” // 18 Procter &Gamble, Wells Fargo, running Boeing and we like found for ads brands premium respected, As we ofAs looked RAT through hundreds videos, Yankees to tutorials. next games toeven New tickets York found for ads baseball we of victims; faces the showing videos alongside had 13,643 views. 13,643 had video this screenshot, • for Wells Fargo. ad an with Russian in tion • 16 IMAGE views. 48,240 had video this screenshot, • ad. Football Fantasy ESPN an with Arabic in • 15 IMAGE At the time of this this of time At the DarkComet demonstra this of time At the njRAT demonstration

-

SELLING “SLAVING” // 19 and an ad for Zulily. victim ratter and between stration with conversation • 19 IMAGE York Yankees tickets. for New ad an with stration • 18 IMAGE brand. Mini for BMW’s ad • 17 IMAGE DarkComet RAT demon ShadowTech RAT demon RAT Pain Predator an with - -

SELLING “SLAVING” // 20 ning alongside the videos marketing and demon Wolf,we found to Cassidy said: she And when we asked about the advertising run advertising we the when askedabout And When we first showedthe YouTube screenshots “This could have“This my blurred face been passed my for entire mind year.” the passed watching Itnever me. of having someone clue not one Ihad have Imean idea. no .out . seriously they because it’s. and sad . - - criminal activity.”criminal of any type it is with as other apriority high as just it make should Google think “I trafficking: human and child pornography after gone has company YouTube on ter videos ratters way the same the make money off it.”GooglesaidShe should go af it’s that now aworld can it's crazy where people how RATsstrating think “I added: she used, be can products. Always feminine hygiene for Procterad &Gamble’s stration in Russian with an • 22 IMAGE ad. aBoeing with Spanish • 21 IMAGE S5. Galaxy Samsung AT&T an with tion for the ad • 20 IMAGE DarkComet RAT demon ProSpy in demonstration Blackshades demonstra - - -

SELLING “SLAVING” // 21 UNLEASHING A RAT—THE A UNLEASHING ART “SPREADING” OF e ous links—in just the first hour after sending. after hour first the just links—in ous of users the opened email and clicked on danger went researchers out, found 50 that percent emails test a total surveys of which in 150,000 cent security everfective than before. 2014 in at two re Looking searchers say phishing campaigns were more ef faster than awareness of their danger. Verizon re attack. phishing” of a“spear launch the is email The refuse. can’t victim the that offer an making email a well-crafted with begins often malware.of the attack The Ittakes several steps. “spreading” the just about There are tutorials art. an aRATLaunching it is science; computer is not just

The sophistication of these has emails grown postdetailaspx?Id=240 to: http://www.digitalcitizensalliance.org/cac/alliance/ go phishing, spear and email this To about more learn 10

- - - - that should give should that you pause.” hard to stop,gets even something you see when curity. “At nature. human against It it goes point, this of a links week,”Se Horner Megan of said Blackfin hundreds Many on of to us click clicked. meant be are “Links attachments: and links on clicking with say we’vewho comfortable increasing become all experts troubles security brand, respected and ed from American Airlines. to like email look an received designed searchers example atlook the below—an re of our one email example, For trust. your gain to find, to increas easier is ingly which information, specific include might It to your get click. designed attachment an or link Mail like this, which appears to from come atrust appears which like this, Mail How do they do it? Spear phishers include a a include phishers How it? do they do Spear e

the system. the Trojan the removed from immediately caught and an anti-virus application as it monitored then ment, downloaded the attach researcher The plans. travel no had who searcher Citizens’ to resent aDigital confirmation aflight email, fake American Airlines spear phishing email—a • 23 IMAGE This is an example of a a of example an is This ------

SELLING “SLAVING” // 22 niles. juve 44 including from victims, 230 steal materials to force, skills his or used trick, Mijangos guidance. consult or without spread them and ownhis tools hacker could who build hams—he askilled was - Abra Jared James student school high like the not was record. on Mijangos ratters vicious most deployed of the bymethods one Luis Mijangos, the Consider victims. on way attack an to launch Ars Technica, Mijangos “was peer-to-peer seeding downloads from peer-to-peer According sites. to of Mijangos’device. lures One music was of choice RAT his tion—so would onto downloaded be the - applica an alink, attachment, something—an on to had into He convince inbox. to target his the click phisher, to just get knew it is not enough Mijangos spear toA skilled make sexually videos. explicit webcams of control take or drives hard from files For ratters, spear phishing emails are an easy are easy an emails phishing For spear ratters, 11 He used Poison Ivy and SpyNet and Ivy Poison used He 12 to poach poach to - were actually malware.” networks with popular-sounding song titles that directing potential ratters to use content theft sites. to potential ratters content use directing theft 25). and 24 ages result im to Forums achat Hack alink (see was on search first the 2015, 24, June on Google on rats” search results. When we searched for “spreading forod rats? spreading Itis if you at look Google’s top sites meth to the content links theft sharing Is popular songs then upload them to torrent them upload sites. then songs popular RATs disguise ratters that reported Massoglia as Lorischolars Andrews, Michael Holloway, Dan and to privacy, poses of webcams hacking the legal of Law, College Chicago-Kent threat the examining We clicked on that link and found several posts We found several and posts link that on clicked In In Digital Peepholes , a research paper from IIT from, aresearch IIT paper 13

June 24, 2015. 24, June rats” from “spreading for results search • 24 IMAGE Page one of Google Google of one Page

14 - -

SELLING “SLAVING” // 23 RAT over peer-to-peer.” the is sending toolbox the in tools of the one so and you any use Imean people, will tool your in toolbox, of interesteda hacker compromising in that’s sort to safe. be of opposite It’s safe. if you the And are “Peer-to-peer is incredibly unsafe. It’s not designed peer-to-peer knows He sites the well. a decade. Los in for Angeles more cases than tual Property Assistant U.S. Attorney Hsu has handled Intellec Attorney handled has Hsu U.S. Assistant - theft sites as the tools of choice for of RAT choice tools sites the as theft spreading. where ratters suggest both YouTube and content We found several Forums Hack conversations on sites Trojans. provide for a platform theft launching YouTube both audience, pecting content the and downloads onto unsus an malicious to the push Jared James Abrahamses. When ratters are ready YouTube with script kiddies, the next generation of via tools share like and Luis tips Mijangos skills with On HackOn Forums, we experienced see ratters room, hackforums.net • 25 IMAGE From the hackers’ chat -

SELLING “SLAVING” // 24 rents, isohunt, and The Pirate The Bay 27, and (image isohunt, rents, above). follow who trade—kickasstor to those piracy the familiar Forums most Hack of are on the ed some trad names the that sites, surprise it is no tent theft When ratters wanted advice about specific con - - - room, hackforums.net • 26 IMAGE room, hackforums.net • 27 IMAGE From the hackers’ chat From the hackers’ chat

SELLING “SLAVING” // 25 The Pirate site visited 97thThe Bay the most in the was f PirateThe Bay from application an how pulled aratter strated byfound posted two different people) demon to ensnaretraps victims. through howers to build deceptive, RAT infested YouTube videos—of the side view walking videos We along found examples—again advertising with YouTube. on shared tutorial in videos them—again how sites; to show they kiddies use tent script theft

note-domainse-180 and https:// thepiratebay.se/blog/205. From http://en.wikipedia.org/wiki/The_Pirate_Bay#cite_ piratebay.gl. used also has It to piratebay.se. moved it when 2012, until Bay Pirate the of address the was piratebay.org to Wikipedia, According piratebay.org. using ratter the showed video The For example, YouTube one (which we video con about chatting beyond go ratters just Some f to help spread aRAT. to help At time, one - - - - ers. world com was so infested with malicious downloads that infested so malicious was com with ginning of the problems with this site. Demonoid. be the that’s but just months, six last the in oid.me to down taken be from Demon URLs 190,000 than (on 7/6/15), have copyright holders askedfor more Transparency Accordingme. toGoogle the Report Demonoid. site, torrent popular another onto file Pirate Bay,application—from it. corrupt and editing amusic case, this a clean application—in Moments later,Moments the ratter loaded the corrupted 16 We like take what ratter looks watched the 15 and had more than 2 million registered us 2million more had than and had 2,334 views. 2,334 had video this screenshot, room, hackforums.net • 28 IMAGE • 29 IMAGE From the hackers’ chat At the time of this this of time At the

- - -

SELLING “SLAVING” // 26 downloads advertising. on (as of 7/6/15). malicious the blamed Demonoid 7,581stsite the site world as the in popular most .pw now (the redirect others there). Alexa the ranks it’s .com, and atcurrent .me, .ph, including home stays alive by several Top utilizing Level Domains, site The acat. more had lives has than Demonoid Google actually blockedGoogle it for 2014. in atime 18 The Digital Citizens Al Digital The 17 But But - that advertising. from software download malicious and the on click sites users make content when that money theft showedinfect research users’ The also devices. research that in potential tosites the had studied content 589 theft on ads three of every one that Bad Going Still Money Good report, liance 19 had 33,110 views. 33,110 had video this screenshot, • 31 IMAGE views. 13,643 had video this screenshot, • 30 IMAGE At the time of this this of time At the this of time At the , showed

SELLING “SLAVING” // 27 g site T411.me theft content the using file PDF a as payload how amalicious to disguise demonstrating RAT CyberGate. He pulls three addresses (saying in in (saying addresses three RAT pulls He CyberGate. victims. from the the presentation nice so they can get more money The presenter reminds also the watcher to make

report published in May 2015. That domain now redirects to t411.io. redirects now domain That 2015. May in published report Bad Going Still Money Citizens’Digital Good in sports and software, books, music, series, TV movies, unlicensed torrents sharing to be found 5—sites of one is t411.me YouTube another In we video, found aratter In athirdIn tutorial, shows aratter how to the use g . theft sites are like Home Depot. sites are Depot. like Home theft malware, to spread their for tools ing the content software. infected now reloads sites the btjunkie.org, with those then “torrent sites”: demonoid.com. isohunt.com, and from three software popular most the pulls then “only tutorial has he that the vic’s three and online”) The tutorial videos show look for tutorial that ratters The videos the streaming media, Netflix. media, streaming of on-demand Internet and legal content provider licensed for the ad an is To video the of right the site, t411.me. content theft aRATto spread the via • 32 IMAGE this video. providers featured in content unlicensed be to known sites three • 33 IMAGE A video showing how Isohunt was one of

-

SELLING “SLAVING” // 28 THE FUTURE OF RATS $1B. gather enough information to steal approximately cloaked for therefore years, and for hackers to the to stay for it possible made Carbanak hidden, howout figured it add to that.”to somebody [and] Regin in was which Comet Dark in pability - ca stealth is some about wething may talking be way work their down next the into low So the end. RATs high-end arethat these in showing up things weizens: alot to think are of see “I going these Haley Cit Response. told Digital mantec Security for Sy of Director Product the Management and Symatec’s on toing Kevin Haley, advisors technical of the one RATs accord to happen will effect trickle-down same down This space. that in to competitors all filter will it place, market the to comes process or really is where it gets This scary. to add new functionality. If a basic RATto abasic If new add functionality. with comes of RATs.ation others: The gener Haleythat next the in prominent says be will It’s of traits three one anew users. burden on be will Stealth capabilities, or the RAT’s the or to stay Stealth ability capabilities, anew idea once many industries, with other As Modularity 20 Bringing this attribute to script kiddie RATs to attribute kiddie script this Bringing

—This RAT the means ability the has Internet Security Threat Report (ISTR) Threat Report Internet Security - - - - you want to execute. of RATs all qualities customize and it for attack the best the take can you future the in means off.This able to pirate is not that being far out it is aconcept to acustomized get tools RAT these use go with ing a cloud where service based any person can revenue source. no with Hav original to the coming distributed stolen and getting are code of tired their source code] from happening.” Haley Hackers says. prevent and a way as of to [theft try a service as RATs. tomized control like systems, Havex industrial Malware bitcoins attacks or mines that level. more institutional but at the count holders, RAT—not focused ing ac individual on much so to Dyre RAT The have core one function. is abank etc. stereo, upgraded seats, leather such as options adding and of acar model base the to getting is similar This have downloading capabilities. or dropper bitcoins, or RAT mine the attacks, DDoS to launch etc.), allow that add-ons get camera, youthe can operating files, at (looking management system “There's actually some movement to software Customization —Taking aRAT it modifying and 21 , are examples of cus - - - - -

SELLING “SLAVING” // 29 also mobile OS like OS mobile Android. also but OS, desktop just not include to modified been actors.” malicious with networks less wire and mobile different of they lots encounter China, likely to trip business your to shop, coffee from go they home, to toAs work, the to school, watches, etc. don’t go. smart tablets, phones, our their bedroom these days, there is literally nowhere have in laptop people most their “Though ing” said Testing, toetration Hack Introduction AHands-On “Pen book her in hacking mobile writes about who Weidman, hacker Ethical Georgia targeted. be will wallet in their smartphone, the more these devices move people more As towardscoming. having their Remote mobile or Access Trojanstablets, (mRAT) is generation of RATs tailored to strike cell phones and You can see in image 34 the RATYou the 34 image in see has Adwind can A “growth market” for is mobile. Anew ratters - - - emails, geolocation, the list goes on.” goes list the geolocation, emails, yourerything phone knows, text calls, messages, evyour knew alot you about laptop about think them. Weidman states further “And if you thought continually target who criminals hackers and the it is for better the distribution, the bigger world. The are ubiquitous throughoutsince smartphones the mobile devices. with ten years number than less to reach same the malwaredistinct signatures taken for it has PCs, ured while yearsthat it 22 took to to get 2million fig TrendMicro maker anti-virus the Repository, AV-Testthe Malware from figures Using growing. This growth, although alarming, is not surprising is not surprising alarming, growth, although This What’s particularly stunning is how fast it’s is how fast stunning What’s particularly 22 had 3,480 views. 3,480 had video this screenshot, • 34 IMAGE At the time of this this of time At the

- -

SELLING “SLAVING” // 30 PROTECTING FROM AND REMOVING RATPROTECTING REMOVING AND FROM h to do should protect your system. you things There basic are some let passport. and protecting as your wal priority same the be should at avoiding chance better aRAT attack. give steps ourselves you these from but a ratters, to do we that protect can thing isn’t there that one tect yourself. Ultimately, we have all to understand pro to use you that help can extensive checklist Digital Citizens’ researchers have put together an

at Starbucks. while you are your activities network to encrypt enough easy it’s also fromcomputer Starbucks; to to a security.ing operate easy with do It’s very 4. security.basic for access bypassing lows easy very attackers word from being sent unencrypted, which al prevents This your pass connection. encrypted 3. watch or password to to asong listen amovie. you realize to you enter probably a don’t need word. password that prompt make And should RAT the you installing ask will pid, for your pass stu something do you if so password different a with Create Admin account. user or asecond 2. for2e6-000000000000 some ideas how to do it. article.cox?articleId=232f2e00-ce8d-11e0-5 www.cox.com/residential/support/internet/ is even better.a passphrase http:// out Check 1. it contains Protecting data your the and system us/en/home/resources/tips/pc-security/security-what-is-anti-virus-software remove software viruses, and other malicious software like worms, (T)rojans, adware, and more.” http://www.webroot.com/ and for,search detect, prevent, to designed are that programs of set or as program “a software Anti-virus defines Webroot Being awareBeing noth of has where you connect an using to yourOnly server mail connect first the using computer your operate Never Create Using asecure password. use and ------click on pop up errors without reading them first. reading them errors without up pop on click blindly always Don’t and puters, worst. the assume word—educate how yourself on to safely com use website.” database by of webmaster sent acareer be the pretend that to messages email tolinked spam have attacks backdoor been Ivy “Poison zation, to SpywareRemove.com, anti-virus an organi According attacks. are to linked phishing viruses, Malware, screened. Trojan be should including of for out character individual, that seem which Even from known users, caution. emails with ed > information. capture other passwords and what you monitor possibly even are and doing can others means free Wi-Fi with locations other net. yourConnecting system at coffeeshops and > phone. your on if you alotespecially do of transactions too, for your goes This smartphone anti-virus. AV ratings at http://www.pcmag.com/reviews/ are market free. some Look the at and on grams to it keep up and date. There are many AV pro clicking on a link within an email. an within alink on clicking to too busy or realize what you are by doing > protect known will viruses. but against ruses, not new stop are will vi This found. vulnerabilities Manufacturers update their applications once updates are they as released. applications install > asimple in up summed be can thing whole This > > > > Emails from unknown users should be treat be should from users unknown Emails awareBe Inter to of where you the connect Have Anti-Virus an (“AV”) Patch your web and OS browsers regularly and 23 Hackers count on you being curious curious Hackers you count on being s h program installed installed program ------

SELLING “SLAVING” // 31 following: Ivy. Poison supplemental program for removing viruses like rus Also, applications. many of these make specific load the application. to aclean research to system the down do and reference to the in remove section Trojan. the Go > paper to avoid being spied on > you youIf are the suspect do infected, then make that There are anti-vi many companies torrentmalware. filesand report shows the correlation between movie and ing virus protection from virus ing now on.” Internet,from you the may want us to consider movies downloading been you've If files. movie Trojan this that through hacked infects normally consensus it's ageneral noted “but participant how to remove Trojan Ivy, like Poison viruses one Yahoo on aposting address In which dangers. tial > > > > Get one or more of the applications or steps steps or more applications or of the one Get of piece opaque an with Cover your camera » different companies will confirm that the that confirm Tro will different companies poten for alert be Internet, the surfing When » NOTE: using two different applications from applications different two NOTE: using 24 A recent DCA Arecent DCA - - - - -

following: organization that can remove can that organization Trojan the for you. > point. > browsers. > > may need to utilizemay apassword manager. need you passwords for multiple sites application, or > your Trojan, is free system ofOnce the the do youtil are sure is system free virus. from the the > > > > > > > When in doubt, take your system to a trusted take your doubt, in to system When atrusted back-up asystem Do anew set restore and Patch the Operating System and the web Clear your web history. browser and cache infection. the of effects residual mitigate to important but process, annoying is an This compromised. » Change your passwords. If you If your have passwords. Change multiple are free. sure is virus system the you it until cleaning besides tem for anything Do not do any more transactions or posts un posts or not any do Do more transactions Trojan. of version the latest the notyou get it will are use to up date otherwise Make sure applications is eliminated. the jan » » » The safest thing to sys is not do to thing safest the use The If infected,If any web likely password is most - -

SELLING “SLAVING” // 32 MORE REFERENCES ON RAT REMOVAL ON REFERENCES MORE > > > > > > > > > > > > > > http://www.pcmag.com/reviews/antivirus http://www.clamav.net/index.html http://winzip.com/prodpagemp.html http://www.spywareremove.com/removePoisonIvy.html https://security.symantec.com/nbrt/overview.aspx? https://answers.yahoo.com/question/index?qid=20080916214402AAsP2UQ http://www.ehow.com/how_6815580_remove-poison-ivy-trojan.html » » » » » » » identify and remove and aTrojan,identify your system. not continuously scan does but » » » » » » » Review of anti-virus programs AV—not type to scanner Good protection. tool is aone-time This continuous ProductWinzip it with tool associated Has Symantec tools to several AV links has This (Trend apps Micro, McAfee, Symantec) Trojan removing Ivy on Tips Poison

SELLING “SLAVING” // 33 SUMMARY RECOMMENDATIONS AND pearance-and-performance-enhancing-drugs marketing ap down of videos pulled hundreds coverage research, of our media After YouTube marketed that activity.looked at illegal videos all previous The four for reports enues Google. YouTube on ed rev advertising generate which post at videos dangerous looking report ance Alli Citizens Digital fifth the is This complicated. being, you might want to reconsider your priorities. device, information, your and well your personal to risk your the is worth of music ue free movies and and downloads the malicious file.If you feelthe val ad the clicks tors user don’t make the until money are pay-per-click site’s the - That means ads. opera Bad Going Still Money Good May our report, on working 2015 searchers bymoney your infecting computer. re MediaLink providing a service, but some of them in fact make to sites be claim of these Operators sites. these on material dangerous and do, more traps we the see infectwill your computer. more research The we able over Internet real dealt was the world justice. responsibleperson for avail drugs those making now were and the Road experience, Silk not adigital the on drugs bought who people of deaths the The to life sentenced was prison. in who Ulbricht, Ross sage from sentencing of former Silk Road kingpin darkest corners of the Internet. Consider the mes the in or corner street it’s the on whether equally treated be should activity Criminal women. tacking toly before hesitate kiddies script drive at some and simple. Stronger sentences will almost certain pure is sexual assault, camera on form sexual acts Forcing sex crimes. with womento per girls and young women able to attack charge who ratters toup take over. prosecutors be should For starters, sprout others one, prosecutes and identifies ment here are the ratters themselves. When law enforce offenders serious most the that doubt no is There As for the videos on YouTube, on for videos the As more is abit this simply,Quite sites to content visits theft regular enablers? the what about But , found many malicious ads ads , found many malicious ------tims of RAT attacks. No one—be it a ratter or amul or it aratter oftims RAT one—be No attacks. tovic painful the and devastating as could just be it but adevice maySlaving attack, aphysical not be vate personal moments and sensitive information. ratters’ showcasing to videos purges of pri next profound risks. health producing product a from profit could healthy ers to custom keeping how dedicated acompany fy justi cy’s could they longer executives no decided selling cigarettes in September The pharma 2014. store forthat stopped drug chain CVS the when the question they to need ask themselves.” That’s that? off money make to people these allow are clearlyvideos directed towards evil, you should where there out their videos are that putting people for case, evil,’” be this in “Well, Aken. Scott ‘don’t said Tube it should? it mean does can, You RATfrom because sharing just But tutorials. on home to a find elements those with YouTube. There’s IPs. reason for no videos public sharing and vade” aperson’s home, pictures showing of victims to malware. study forts hackers’ down could ethical videos harm ef these Remote Access Trojans. about videos all Pulling share view and also white hand, hats other the On devices they’ve whose of slaved. those faces the featuring and addresses, IP public sharing victims, getting about talking ratters include that of videos video.” the There are posting plenty person of the intent the and content video the of on the pends Attorney says Hsu de “it U.S. Assistant As area. of how agrey to well, it is, do something someone proval. aRAT While spreading showing is illegal, adoctor’s available ap without drugs prescription (steroids), and drugs, stolen illegal credit cards, It is time for Google to stop running advertising advertising to for running stop It is time Google like much for Google could amoment This be statement the on itself to pride used “Google However, there is nothing stopping YouTube “in hackers that would videos ethical not post But ------

SELLING “SLAVING” // 34 to access that website because it's dangerous.’”to website that access because website, could they say, ‘Sorry—you’re not allowed if youand to are amalicious alink presented with plow into data ofresources all this apool to further of their some Whatif use they alothas data. of this already “Google 'before' them. on click links people detect more Chromein malicious could that help ther develop their safe browsing technology with IPs? their pictures and of victims YouTube on videos include that for those looking create team to ahuman review malware tutorials app submissions to Google Play. to Google submissions app would review violations for teamnal policy looking inter an that announced March, In catch. Google automated items systems may its check not always childrenof world? women and around the to right privacy revenge the violate porn, and porn, to make used child tough tools on getting about what But victims. porn announced revenge protect to effort an company the Recently, platforms. its off Google has made efforts to keep child pornography toproblems it the is creating. Tosolution credit, its vertising programs, partner like AdSense? ters spread can their terror. Mijangoses, future and Abrahamses, the super-rat Forums, YouTubeHack provides aforum where the Yet we as saw from conversations on numerous YouTube,ucts, ratters’ the be tool should of choice. prod of its one a great and like company Google why no There is reason of profitattacks. from these company—should dollar tibillion make penny one associated with child porn. with associated blocked 100,000 search and terms pornography to block child and spot brought engineers 200 in Scott Aken had a suggestion for Google: fur for Google: Aken a suggestion had Scott Google does on occasion use human beings to beings human use occasion on does Google the has company argue might the that Google ad safeguards to some its add could Google So 26 Why can’t Google Why Google can’t 25 In 2013, Google Google 2013, In ------the “slaving”the problem, of instead profitingfrom it. solve to help aposition is in Google evil activities. YouTube slow the of spreading their and the videos these in “slaving” selling are that ratters the off ward to help skills and tools its use can company the group, advocacy aconsumer we As crime. believe future. the about think to it is time decide at Google people the that hope We people. before profits put to continue they will acrossspreading over devices all Or, America? of RATs tide to arising stem take action Google WHO APPROVEDWHO THIS? SIMPLEONE QUESTION: tisers wondering how that could happen. even many to with adver ISIS, sympathetic videos to how could next ads about run swered questions children? humiliate that videos YouTube an hasn’t Who, what, would or to approve next advertising Program advertising. Partner with running videos revenues. ofceive the asplit turn, in allowswhich, “YouTube the to re Partner” “approved for monetization” to enable advertising be must video each that state monetization on YouTubetent. The Program’s guidelines Partner AdSense account to begin monetizing their con aGoogle contentProgram, the creator start must revenue.tising YouTube adver of to agrees the asplit give them Tube while, ad to the include return, in permission YouTube’s They have Program. given You Partner of are part videos the posting Many people of the vertising at the time our researchers found them. ad included report this in shots screen All the YouTube There is no Program participants. Partner now, revenues 55/45 splits Google eligible with We’re not asserting Google has committed a a We’re committed has Google not asserting money. would steps Such Google cost will But So someone, or something, “approved” the YouTube of the orderIn to amember be Partner

27 Right Right ------

SELLING “SLAVING” // 35 Google need to continue to run ads next everything everything to to next ads continue run need Google the AGs’ letter. AGs’ the to response Google’s fromwas own its description videos.” Totionable clear—the be word “minimal” ques the from income ‘minimal’ "derives Google that reported newspaper Oklahoman The tivities, ac illicit and illegal marketing videos from profits about officials Google questioned General torneys two States for At after awhile. 2013, In questions materials. cious of mali pushers of the pockets the in money put that of videos rejection and aggressive monitoring force would to this act; likely Google result more in marketing ‘slaving’ videos could that to these next running ads their see that ble. companies Itis the who—unintentionally—make revenue this possi advertisers very from the hears company the less to such aprogram—un incentive for end Google Google and YouTube have fended off these these off fended have YouTube and Google 28 https://support.google.com/youtube/answer/2802027?hl=en. If it is so “minimal,” it If is so why does then IF YOU SEE AVIDEO SHOWING VICTIMS OF RATTERS, YOU CAN REPORT THE VIDEO TO YOUTUBE AT ------happening to them.” was selves if this imagine victim’s and the in shoes Honestly,this. to Iwould them put tell them just of off money making is Google and this of money Tube are are this that making doing people the and promoted You on being now room and its their in watched daughter being was that if it their was ine to themselves put imag (the in victim’s) and shoes… Wolf, would need she “They tell Google: said who could from handle came Cassidy that question follow. will slaving, others against a stand takes world’s companies of admired the one If most adefense? as Internet freedom it claim can videos, Trojan tutorials? to to drugs Remote illegal Access videos from ISIS Perhaps the best advice on how the company company how on advice the best the Perhaps slaving beside ads to continues sell Google If that is generated from the ads. ads. the from generated is that account, you earn revenue account with your YouTube AdSense an associated you've After video. the near or inside YouTube tion, ads place will and approved for monetiza Once your video is submitted money? • tization tube.com/account_mone https://www.you at found - guidelines and information • 35 IMAGE How can my video make make my video can How YouTube monetization

- - - - -

SELLING “SLAVING” // 36 APPENDIX A APPENDIX Zulily 20, 19)—found (pg. July Image 17, 2015 Wells Fargo 16)—found Image July 19, 16, (pg. 2015 Vans 3)—foundApril 10, the Image 8, Off 2015 (pg. Wall 30, June 2015 34)—found 30,Image (pg. Communications Unified 2015 25, 29)—found Wall April Image The 26, (pg. Street Journal 33)—found 28, Image 2(pg. Cop Mall Blart, Paul PicturesSony Entertainment, 2015 12, April 12)—found /Arizona 16, Image State (pg. University Starbucks 2014 3, 20)—found Image 21, December (pg. Samsung Procter & Gamble Procter &Gamble 30, 2015 June 34)—found 30, Image (pg. Plan New York Yankees 20, 18)—found (pg. 2015 Ticket Image March Exchange 3, July 32)—found Image 16, 28, (pg. 2015 Netflix 20, 2015 17)—found (pg. Image 25, Cooper Mini June Tours, Blue Go 27, (pg. 30, 2015 30)—found June Image 2015 29, 7)—found April Image 13, (pg. Geico July 7,ESPN 15)—found Fantasy Image 19, Football (pg. 2015 Ensilo 27, (pg. 22, 2015 June 31)—found Image 27, (pg. CoverGirl 30, 2015 30)—found June Image 2014 4, December 1)—found Chevrolet Image 3, (pg. March 17, 21)—found Image 21, (pg. Boeing 2015 7, 2015 (pg. Knight 25, Arkham Batman February 2)—found Image 10, April 3)—found Audible, 2015 Image 8, (pg. Amazon an Company American Express Travel (pg. 7, Image 2)—found 2015 February 25, 2015 12, 8)—found April Image 14, (pg. Boat Allstate 17,Acura (pg. 2014 November 14, 14)—found Image half of 2015. first and of 2014 RAT with pages on YouTube on videos ments promotional quarter fourth the in Citizens researchers for Digital found advertise which Companies/Products EACH SCREENSHOT OF YOUTUBE PAGES AND WEBSITES WAS GRABBED DURING DIGITAL DURING WAS YOUTUBE OF PAGES GRABBED WEBSITES AND EACH SCREENSHOT » April 14, 2015 14, April » Minions » »

➢ ➢ Always July 22)—found 2015 8, Image 21, (pg. Bounty (pg. 13, Image 6) (featuring characters from NBCUniversal film film NBCUniversal from (featuringcharacters 6) Image 13, (pg. Bounty CITIZENS RESEARCH AND MAY STATUS AND CURRENT THE RESEARCH NOT REFLECT CITIZENS PAGE. ANY OF )—found July 7, 2015 -

SELLING “SLAVING” // 37 APPENDIX B APPENDIX Emeryville, CA Emeryville, OH Elyria, Columbus, OH Cleveland, OH Catawba, SC PA Cynwyd, Bala TX Austin, Ads: without found Videos on cities these in IPs Denver, CO TX Christi, Corpus Columbus, OH Collinsville, IL Clarksville, TN MO Chesterfield, FL Brandon, CA Bakersfield, GA Alpharetta, OR Albany, Ads: with found Videos on cities these in IPs FoundSlaved Devices From YouTube Information on Jacksonville, NC Jacksonville, Independence, IA Hollywood, FL NC Hickory, Henderson, NC NY Halcottsville, Flint, MI Los Gatos, CA Los CA Angeles, Kearney, NE City,Kansas KS TN Jackson, NJ Jackson, MS Jackson, Ranch, CO Highlands NC Greensboro, ND Fargo, Phoenix, AZ PAPalmerton, Old Town, ME New York, NY LA New Orleans, WI Madison, CO Littleton, CTSherman, Sanger, CA CA Sacramento, Ramsey, NJ Phoenix, AZ NE Omaha, New York, NY WI Mukwonago, Milwaukee, WI Louisville, KY West Lafayette, IN Lafayette, West NY Utica, Bay,Suttons MI South Richmond Hill, NY Lake City,Salt UT TX Richardson, NM Portales, Woodstock, IL Wai'anae, HI Tukwila, WA NJ Trenton, Tampa, FL Tacoma, WA Falls, SD Sioux and without ads. without and addresses in videos with • 36 IMAGE The map includes IP

SELLING “SLAVING” // 38 APPENDIX C APPENDIX TOTAL RAT Bifrost use and How to download RAT Blackshades use and How to download njRAT use and How to download RAT DarkComet use and How to download RAT Ivy Poison use and How to download lowing step by step approach: TERM SEARCH RAT Ads YouTube: with on Running Videos 4. 3. 2. 1. above fol table by the The compiled was using

next to or inside of the video. video. of to the inside or next and have at least one advertisement running hit for criteria the avalid to had ads meet with hit Avalid ads. with hits of valid number 2of search1 and to results the determine pages on manuallyAgain view video each read hit below).valid to (for a determine used criteria hits the valid of of number search to results the determine 2 1and pages on Manually view video each forup search that term. of come that results number the Determine Search for to “How __download use and RAT”

# OF RESULTS# OF 30,490 11,300 9,920 2,500 4,520 2,250

VALID HITS 179 188 of (2 PAGES)(2 of 40 40 of 40 40 of 40 38 28 of 34 of 34 33 - crypter-how-it-works.html http://way2h.blogspot.com/2013/02/what-is- For more to: go deletednot detected and by anti-viruses. anyor RAT tool from are they that so anti-viruses keyloggers viruses, hide to used software as fined hit”: lowing a“valid to criteria determined be According to Way is de 2Hackintost, ACrypter 5. 4. 3. 2. 1. more fol or of the one to had meet Each video

VALID HITS in the subject line. subject the in howon to download and/or “crypter” the use Include specificinstructions duringthe video avictim’sdetected on computer. aRemoteenables Access Trojan to un go to download alink Include that a“crypter” Remote Access Trojan line. subject the in howon to download, spread, and/or the use Include specificinstructions duringthe video Trojancess video. the in specified to download Remote alink Include Ac the download XRAT” itself. video the title or the in to “How and use language, the Include 188 71 of W/ADS of 40 19 of 40 19 of 40 14 10 of 33 9 of 34 VALID (%) HITS 100% 100% 95% 95% 97% 82%

VALID HITS W/ADS (%) 38% 30% 48% 48% 26% 35% 35% - - - -

SELLING “SLAVING” // 39 ACKNOWLEDGEMENTS many 1 many saw of and research, learned this doing we also we that saw things while cruel and sad For the all ing understand some complicated issues: swering questions: our research an their and for publicly sharing tions fight offrontprotect this to line consumers. the is on community security cyber The expertise. research their for and sharing experts and alysts we that ask. gested hadn’t sug Hat if “Hemu” at student Black college the previously mentioned conversation with the We issue. this us on wouldeducating not have had Citizens even We Alliance existed. for him thank of hackers beforefor victims since Digital the the advice. and help for looking media reachwho social to via out her Wolf to Cassidy responds RAT to light. story victims we as brought inspiration this team with our vided Wolf They pro Mary for us. and with working sidy > > > > These individuals shared their expertise to help > > > > > organiza - these thank to like we’d Specifically, an security we cyber Also, want the to thank fighting been has Blue SSP of Nigam Hemanshu > > > > > > > > > > > > > and Shevirahand Weidman, Security Georgia of founder Bulb FellowLegal of Law College Adam Rouse, Chicago-Kent James Pastore Will O’Neal, Mid-Atlantic Computer Solutions Miliefsky, Snoopwall.com Gary Scott Aken Verizon Enterprise Solutions Symantec Nielsen SecureWorksDell Security Blackfin : 1 acts of kindness. We of are kindness. grateful acts to Cas 1 ------shared special skills: shared special who fromwe professionals talented got help for answers: search the in deeper alittle usdig helped who Wesearch for report. greatly this appreciate those malware: pushing gerous individuals work to their protect from dan cussed consumers > > to report, produce this we when needed Also, > > There were some long hours spent on re dis who officials enforcement law the Also, > > > > > > > > > > > > TransPerfect PhotographyGreg Nelsen Studio FoxDog D.Lauren Shinn LLC Consulting, Outhaul Osborne, Patrick Law School University Students Association, George Washington Meghan Green, President of the Cyberlaw (FBI) of Justice Department Eimiller,Laura at U.S. Relations Press & Public California of District Central the Officefor Attorney’s U.S. Section, Crimes tual Property Wesley Intellec and Cyber of Hsu, Chief the - - - -

SELLING “SLAVING” // 40 ENDNOTES 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1

Websites-Ranking-85905.shtml) Pirate-Bay-Joins-Google-and-Yahoo-in-the-Most-Popular- 2008. (http://archive.news.softpedia.com/news/The- May 19 Softpedia. Ranking” Websites Popular Most the in Yahoo and Google Joins Bay Pirate “The Popa, Bogdan uploads/4/1/8/3/41830523/digital_peepholes_2015.pdf) Law, Policy and Technology, Webcams: of Activation Remote Peepholes Digital Holloway, Massoglia, &Dan Michael Andrews, Lori omniscient-internet-sextortionist-ruined-lives/) (http://arstechnica.com/tech-policy/2011/09/07/how-an- 2011. 7Sept Technica. Ars girls” teen of lives the ruined Nate Anderson, “How an omniscient Internet “sextortionist” victims--computers-to-extort-photos.html) cybercrime-hacking/man-gets-6-years-for-hacking- 2011. (http://www.computerworld.com/article/2510927/ 1Sept ComputerWorld. photos” to extort computers victims’ hacking for 6years gets “Man McMillan, Robert omniscient-internet-sextortionist-ruined-lives/) (http://arstechnica.com/tech-policy/2011/09/07/how-an- 2011. 7Sept Technica. Ars girls” teen of lives the ruined Nate Anderson, “How an omniscient Internet “sextortionist” breach-investigation-report-2015-insider_en_xg.pdf www.verizonenterprise.com/resources/reports/rp_data- Nielsen from figures on Based their-webcams/ breeders-meetthe-men-who-spy-on-women-through- http://arstechnica.com/tech-policy/2013/03/rat- (Mar. 10, 2013), Technica, Ars Webcams” Their Through Nate Anderson, “Meet the Men Who Spy on Women usahacked-again-in-massive-cyber-breach/ http://nypost.com/2014/05/19/miss-teen- 2014), 19 (May Teen York New USA,” Post Miss Ensnared that Breach Cyber in Arrested 90 “Over Calder, &Rich Hagen Elizabeth 18-months-prison-article-1.1724809) com/news/crime/mastermind-teen-usa-sextortion-plot- (http://www.nydailynews. 17York Mar. News. 2014. Daily New prison” in to 18months sentenced plot, ‘sextortion’ Teen USA Miss in guilty teen, “Calif. Goldstein. Sasha 17, Sept. 2013) Cal. (C.D. 00199-JVS v. 7, at Abrahams U.S. Complaint Criminal hacking-report.pdf com/assets/pdf-store/white-papers/wp-underground- at available 2014), (December Dell SecureWorks, “Underground Hacker Markets,” com/2014/05/blackshades-trojan-users-had-it-coming/ http://krebsonsecurity. 2014), 19 (May Security on Krebs Krebs,Brian Trojan “‘Blackshades’ Users Had It Coming” SMiliefsky-SnoopWall_downloadPDF.pdf content/uploads/2014/12/2015-Year-of-The-Rat-by-Gary- (2015), Year Rat—Threat The the of “2015: Report” Miliefsky, Gary com/security-news/blackhat-hacker/) (http://www.pctools. Tools. PC Hacker?” a Blackhat “What’s Verizon 2015 Data Breach Investigations Report Investigations Breach Data Verizon 2015 http://www.snoopwall.com/wp- at available . 2015. (http://www.ckprivacy.org/ . 2015. , http://www.secureworks. , No. 8:13-cr- , No. http:// : p t t h ,

28 27 26 25 24 23 22 21 20 19 18 17 16

objectionable-content/article/3873056) claims-it-makes-little-money-from-videos-with-illegal-or- (http://newsok.com/google- 2013. 18Aug Oklahoman. from videos with illegal or objectionable content” The money little makes it claims “Google Knittle, Andrew appearing-with-isis.html) news/2015/03/04/p-g-seeks-to-halt-ads-from- (http://www.bizjournals.com/cincinnati/ 2015. 4 Mar with ISIS propaganda videos” Cincinnati Business Courier. appearing from ads to halt seeks “P&G Brunsman, J. Barrett permalink/2013/11/18/googleblocking (Nov. http://www.digitalmusicnews.com/ 2013), News 18, Music Digital Pornography…” to Child Related Queries Search 100,000 Blocking Now Is Resnikoff,“Google Paul nowreviewed-by-staff-will-include-age-based-ratings/ com/2015/03/17/app-submissions-on-google-play- Ratings” Age-Based Include Staff,Will By Reviewed Now Play Google On Perez, “App Submissions Sarah 2015) 16, July (last visited question/index?qid=20080916214402AAsP2 https://answers.yahoo.com/ at available my laptop?” from virus Ivy Poison the Iremove do “How Answers, Yahoo! html 2009), http://www.spywareremove.com/removePoisonIvy. 17, (Apr. Remove. Spyware “PoisonIvy” SpywareRemove, roundup-1h-2014 security/news/mobile-safety/the-mobile-landscape- http://www.trendmicro.com/vinfo/us/ 2014), 26, (Aug. Trend 2014” 1H Micro. Roundup: Landscape Mobile “The control_trojan/) (http://www.theregister.co.uk/2014/06/26/industrial_ 2014. Jun 26 Register. The EUROPE” in software control RATs Stuxnet-style critical fling at “Attackers Leyden, John you-have-stopped-a-1-billion-apt-attack/#.VZGQW_lVikr) (http://securityintelligence.com/carbanak-how-would- 2015. Feb 23 Intelligence. Security Attack?” APT a $1 Billion Would How You Have Stopped “Carbanak: Kessem, Limor bb0a-edc80b63f511.pdf) 5E3BD824CF47C46EF4B9D3A76/298a8ec6-ceb0-4543- (https://media.gractions.com/314A5A5A9ABBBBC2015. Thieves and The Hijacking of The Online Ad Business Digital Bad: Going Still Money Good Alliance, Citizens Digital 18-months-prison-article-1.1724809 com/news/crime/mastermind-teen-usa-sextortion-plot- (Mar. 17, News York http://www.nydailynews. Daily 2014) New prison” in to 18months sentenced plot, ‘sextortion’ Teen USA Miss in guilty teen, “Calif. Goldstein Sasha software-140508/ com/google-blocks-demonoid-for-spreading-malicious- (https://torrentfreak. TorrentFreak. 2014. 8May Software” Andy, “Google Blocks Demonoid For Spreading Malicious the-pirate-bay/) PIRATEBAY.SE” TorrentFreak. (https://torrentfreak.com/ “THEPIRATEPARTYBAY: THEPIRATEBAY.ORG THE AND TechCrunch . (Mar. 17, http://techcrunch. 2015), . May May .

SELLING “SLAVING” // 41