Digital Bait

Home , Crimeware, DeepDotWeb, ExtraTorrent, Fandor, Flixster, Hacker

DIGITAL BAIT

HOW CONTENT THEFT SITES AND MALWARE ARE EXPLOITED BY CYBERCRIMINALS TO HACK INTO INTERNET USERS’ COMPUTERS AND PERSONAL DATA

DECEMBER 2015 TABLE OF CONTENTS

INTRODUCTION AND SUMMARY...... 1-2

OBJECTIVES AND METHODOLOGY...... 3-5

Objectives...... 3

Quantitative Study Methodology Overview...... 3

Sample Design...... 3

Control Group Design...... 4

Data Collection...... 4

Data Availability...... 4

Profile of a Crimeware Distribution Network...... 5

QUANTITATIVE FINDINGS...... 6-7

Sites with Malware Incidents...... 6

Malware Incident Rates for Users Visiting These Sites...... 6

How Malware is Delivered...... 6

Types of Malware...... 6

Estimated Number of Consumers Affected...... 7

THE INTERNET'S MOST DANGEROUS INTERSECTION: CONTENT THEFT AND MALWARE...... 8-16

Malware and Its Many Types...... 8

Threats to Consumers...... 10

Malware Fraud Schemes Against Consumers...... 12

Threats to Advertisers...... 13

How Malvertising Works...... 14

Malware Fraud Schemes Against Advertisers...... 14

Threats to Society...... 15

Malware Fraud Schemes Against Society...... 16

#FollowTheProfit DIGITAL BAIT i TABLE OF CONTENTS

UNDERSTANDING THE "CRIMEWARE" ECONOMY...... 17-18

The DarkNet...... 17

Inside the DarkNet...... 17

The Professional Hacker...... 17

Crimeware Specialization...... 18

PROFILE OF A CRIMEWARE DISTRIBUTION NETWORK...... 19-23

Crimeware and Affiliate Programs...... 19

How One Affiliate Program Works...... 20

Payouts...... 22

Affiliate Earnings...... 23

REVENUE MODEL...... 24-25

Pay-Per=Install Rates...... 24

Estimated Malware Exposures...... 24

Estimated Install Rate...... 24

Revenue From Malware...... 24

Estimating Potential Malware-Related Revenue...... 25

CONCLUSION...... 26

ABOUT DIGITAL CITIZENS ALLIANCE...... 27

ABOUT RISKIQ...... 28

APPENDIX...... 29-33

REFERENCES...... 34

#FollowTheProfit DIGITAL BAIT ii INTRODUCTION AND SUMMARY

Content theft, or piracy as it’s commonly known, the spread of malicious materials to the comput- poses a serious and underappreciated threat to In- ers of unsuspecting consumers. Content thieves ternet users by exposing them to harmful malware are no longer satisfied with targeting creators, not that can lead to identity theft, financial loss, and when there is big money to be made from preying computers being taken over by hackers, according on consumers as well. to a new report commissioned by the Digital Citi- zens Alliance. After its two “Good Money Going Bad” reports explored the business models behind ad-sup- Probing a sample of 800 sites dedicated to dis- ported content theft sites, DCA commissioned tributing stolen movies and television shows, the RiskIQ, a leading provider of online security and ad cyber security firm RiskIQ found thatone out of ev- monitoring services, to estimate the amount and ery three content theft sites contained malware. type of malware that content theft sites carry and to explore the connection between content theft The study found that consumers are 28 times and malware ecosystems in the dark corners of more likely to get malware from a content theft site the Internet. than on similarly visited mainstream websites or li- censed content providers. What RiskIQ found should be troubling to anyone concerned about keeping Internet users safe And just as worrisome, merely visiting a content online. The research found that once hackers get theft site can place a users’ computer at risk: 45 into a computer, they can use it for a wide range of percent of the malware was delivered through so- criminal schemes where the user of the computer called “drive-by downloads” that invisibly download is the victim. to the user’s computer—without requiring them to click on a link. These include: >> Stealing bank and credit card information While content theft has long been wounding cre- that is then sold on underground Internet ex- ators large and small, the RiskIQ report shows that changes. After the hack, consumers find their the base of victims includes the unwitting Internet bank accounts depleted or suspicious charges users who go to content theft sites for “free” content. on their credit cards. There is an underground market for credit card information that ranges By exploiting stolen content to bait mainstream from $2 to $135 per credit card credential. consumers, bad actors have uncovered an effec- >> Finding personal information that makes it tive means to hack into millions of computers. easier to sell a person’s identity to the highest bidder online. In July, the FBI added five online Baiting Internet users, stealing their personal in- criminals to its “Most Wanted” list for creating formation, and taking control of their computers is computer programs that stole identities and fi- becoming big business—an estimated $70 million nancial information. per year just from peddling malware. >> Locking a user’s computer and demanding a ransom fee before returning access to their files. Digital Citizens found a significant change in the content thieves’ business model. Historically, they Hackers don’t just steal personal information and have profited by taking money out of the pockets financial records—they gain access to an Internet of content creators. Now, content thieves have cre- user’s computer, enabling them to control it for ne- ated another stream of revenue that comes from farious purposes, including ad fraud, spamming,

#FollowTheProfit DIGITAL BAIT 1 denial of service attacks, or extortion by threaten- dollars stolen. Then these computers are taken ing to cripple businesses through attacks on their over to wreak more havoc, causing a nightmare for computer systems. everyone from Internet users, to advertisers who get defrauded, to corporations blackmailed into The majority of malware installed through con- paying off hackers who threaten to use those rogue tent theft sites was either Trojans, to spy on the computers to launch attacks. consumer’s computer, or adware, designed to co-opt the consumer’s computer into advertising And it can all start with a casual visit by an Inter- fraud schemes. net user to a content theft site.

This is disturbing news for the advertising in- These revelations should be a wake-up call. To dustry and consumers. The Interactive Advertising consumers: be wary of content theft sites that of- Bureau (IAB), the trade association for online adver- fer something valuable for “free,” for there is a good tisers and sellers, reports that revenue for online ad- chance the price you actually pay is an infected vertising totaled $49.5 billion in 2014. This is largely computer. To Internet safety groups: create aware- due to innovations in advertising that open up the ness and education campaigns, especially aimed ecosystem to a mass market for any advertiser or towards younger Internet users who often don’t publisher with a bank account. However, malware consider the impact of their browsing choices. To threatens to undermine the trust in the new market government: step up enforcement of laws on the these innovations have opened. books to identify and deter those who bait and defraud consumers. And to advertisers and ad net- The U.S. Department of Justice reports that works: continue to build safeguards against hack- 16.2 million U.S. consumers have been victimized ers who are creating elaborate fraud schemes and by identity theft, with financial losses totaling over ultimately undermining trust in online advertising. $24.7 billion. If the public better understands the intersection What is perhaps most troubling about these find- of content theft and malware, we can reduce the ings is how easy it is for hackers. Bad actors dangle number of victims. Until we do so, there will be free content, consumers take the bait, and the end bait . . . and prey. result is millions of identities at risk and billions of

#FollowTheProfit DIGITAL BAIT 2 OBJECTIVES AND METHODOLOGY

OBJECTIVES pling of legitimate viewing sites and random sites DCA commissioned RiskIQ to assess and analyze that are representative of the general Internet. In any links between content theft sites distributing both groups, a broad sample of sites was ana- unlicensed copies of movies and television shows lyzed, including sites that are highly popular and and malware. those less frequently visited.

RiskIQ performed this study in two parts. The first RiskIQ defined malware as software designed is a quantitative study that analyzed the rate of mal- with malicious intent to gain unauthorized access, ware exposures across a sample of content theft collect private data, or inflict intentional damage. sites against a control group representing the general web site population. The second is a research The sites were probed for malware by simulating study into the malware distribution ecosystem and the behavior of users from the U.S. with a variety of the role content theft sites play. Taken together, the browser profiles to approximate typical U.S. targets two pieces present a clear picture of the mechan- for malware distributors. ics of what, why, and how frequently content theft site operators place malware on their sites, and the SAMPLE DESIGN economics of the partnership between content The sample group was comprised of “content theft thieves with the pushers and designers of malware. sites” which consist of: >> 25 Sites from the March 2015 Notorious Mar- RiskIQ’s focus is to detect malware incidents for kets Report published by the U.S. Trade Repre- web sites and advertisers trying to protect them- sentative selves from malware exploits that would affect their >> The top 25 sites from the Google Transparen- end consumers and partners. As such, RiskIQ de- cy Report (GTR) for the month before the scan. tects anything ranging from suspicious incidents to (Note this list overlaps with the Notorious Mar- outright, confirmed cases of malware. RiskIQ’s sys- kets Report.) tem classifies cases as “exact” matches, which are >> 750 sites selected at random from the top confirmed and active cases, and “reputational” cas- (250), middle (250) and bottom third (250) of the es, which are incidents that are suspect because GTR with at least 20,000 copyright infringement they use infrastructure that was previously used removal requests since the inception of the GTR for a malware attack. In the interest of precision, for the purposes of this study, RiskIQ used only “exact” The following were excluded from the sample matches. This conservative approach suggests that group of content theft sites: the actual level of malware is larger—and perhaps >> Sites primarily dedicated to video game much larger—than the estimates found here. content theft were excluded from the study because most gaming files are executable files, QUANTITATIVE STUDY which carry more apparent inherent risks of mal- METHODOLOGY OVERVIEW ware infection. The quantitative study was designed to provide >> Sites with primarily adult content were also an objective comparison of the amount and type excluded. This was done by filtering out adult re- of malware found on content theft sites with a lated domains and by running a keyword classi- control group of sites, which comprise a sam- fier for page content.

#FollowTheProfit DIGITAL BAIT 3 CONTROL GROUP DESIGN navigation links while clicking through 5 links per Control group sites were intended to represent le- page to a depth of 3 pages within a site. Additional- gal online media sites and the general Internet and ly, click throughs were limited to the domain of the were drawn from the following sources: first page in a site crawl. >> 100 sites were selected from the list of legal online media sites on Where to Watch, a site that The amount of malware discovered is a conser- promotes legal alternatives in the U.S. to content vative measure because: theft sites. >> No ads were clicked on for the study. Most >> 150 sites were selected, like the sample malicious ads deliver malware upon loading. group, at random from among top third, middle Even though RiskIQ’s system is capable of click- third and bottom third of global Alexa-ranked ing through on ads, previous experience had sites ranging from the top ranked site to the shown that the rate of malware exposure from 999,999 ranked site, and filtered so as to not actually clicking on ads was extremely low, indi- overlap the sample group. cating that clicking on ads would not have mate- rially changed the results of this study; and DATA COLLECTION >> No files were downloaded from the sites for All sites in both the sample and control groups were the study, even though malware can be deliv- scanned for malware for a period of four weeks ered through the file download, which means from June to August 2015. RiskIQ’s proprietary mal- that the study does not include the malware risks ware detection solution scans sites with a global from sites, such as torrent sites, that offer down- proxy network of virtual users that simulate the be- loading of content. havior of real consumers with a variety of operating systems and browsers. For the purposes of this These limitations of the methodology suggest study, scans were limited to users across 20+ cities that the malware uncovered by this report is a con- in the U.S. only. Malware analysis was run through a servative measure of the total amount of malware series of market standard malware detection tools, delivered by content theft sites. including VirusTotal and RiskIQ’s own proprietary detection system. DATA AVAILABILITY RiskIQ designed a study that could be easily re- Each simulated user was configured to navigate peated by any researcher with the capability to ad- up to three levels deep for a maximum of 25 pages equately analyze and detect malware on web sites. daily per site. Data collection sampled an average of just over 50 pages daily per site during the four- The data and malware analysis from this report is week period. Scans were designed to check for the available online at: presence of malware in either “drive-by downloads” >> http://www.digitalcitizensalliance.org (where no user initiated action is required) or user-initiated downloads, typically delivered through Researchers who wish to repeat the study or pop-ups or fake software update requests. Click have questions about the results may contact the throughs were performed based on a link scor- DCA through their online contact form. er that preferred links containing downloads over

#FollowTheProfit DIGITAL BAIT 4 PROFILE OF A CRIMEWARE DISTRIBU- with undercover online personas into DarkNet ex- TION NETWORK changes and marketplaces to collect information After calculating the amount of malware found on about popular malware distribution programs with content theft sites, RiskIQ went on to probe the ties to content theft sites. Multiple programs were ecosystem connecting malware to content theft found. A typical program is profiled in this report sites. Specifically, they looked at who deployed with some details removed to protect the sources the malware, what kind of malware was prevalent, that provided the information. This profile provides and how much money could be made from using valuable insight into the typical revenue for sites in- content theft sites to distribute it. For the qualitative volved with malware campaigns and sheds light on component of the study, RiskIQ sent researchers how the business relationships work.

#FollowTheProfit DIGITAL BAIT 5 QUANTITATIVE FINDINGS

SITES WITH MALWARE INCIDENTS undetected. Forty-five percent of malware pay- RiskIQ found that 33 percent of sites in the Content loads found on the sample sites downloaded invis- Theft Sample group had at least one malware inci- ibly in the background and did not require the user dent over the month in which it collected data com- to do anything to confirm the download. Users did pared with 2 percent for the Control Group. not need to download media or click on any pop- up advertisements to be infected by these attacks. MALWARE INCIDENT RATES FOR USERS VISITING THESE SITES The remaining 55 percent of the malware lured RiskIQ found that users are 28 times more likely to users with fake prompts for requests such as Flash be infected with malware when visiting sites in the downloads and anti-virus updates -- many of these Content Theft Sample group as compared with the prompts look virtually identical to prompts from Control Group. Of the Content Theft Sample group, the actual legitimate providers of such services. 8 percent (1 in 12) of user visits resulted in exposure While some users may know enough to avoid fake to malware, compared with 0.3 percent (1 in 333) prompts, attackers are often able to trick users into user visits for the Control Group. accepting a payload just to get rid of a pop-up. The malware payloads for these user initiated down- Many of the sites in the Content Theft Sample loads are typically larger, containing more than one Group sustained very high exposure rates, suggest- type of malware because they do not have to be in- ing that malware distribution was part of their ongo- stalled surreptitiously in the background like drive- ing modus operandi. For example, 20 of the content by downloads. theft sites exposed more than three out of every four users (75 percent) that visited them to malware. TYPES OF MALWARE Over half of all malware detected was classified as HOW MALWARE IS DELIVERED Trojans by RiskIQ’s malware analysis tools. “Trojan” “Drive-by downloads” allows malware to be deliv- is the general term for any malware that secret- ered without the victims even having to click on ly installs itself to open unauthorized access to a anything after arriving on the page. Drive-by down- computer. loads infect users silently and can go completely

29% ADWARE

MALWARE TYPES OF DELIVERY MALWARE 5% 55% 45% 54% TOOLBAR USER INITIATED DRIVE-BY TROJAN DOWNLOADS DOWNLOADS 3% BOTNET 9% OTHER

#FollowTheProfit DIGITAL BAIT 6 Malicious adware and toolbar software were ESTIMATED NUMBER OF CONSUMERS the next most prevalent types. The definition of AFFECTED Adware can range from benign to annoying to ma- RiskIQ estimated that each month 12 million U.S. licious. Adware detected by the anti-virus tools in users were being exposed to malware attacks from this study was weighted toward the malicious end the specific sites they visited in the Sample Content of the spectrum. Theft Group, based on Alexa traffic data and Risk- IQ’s measure of malware incident rates. Lastly, “Other” was used to signify minor categories and instances where an exploit kit was detect- RiskIQ applied the average malware exposure ed but the malware type was not determined. rate for each site with Alexa average monthly traffic of unique visitors. Note that Alexa data does not A subset of Trojans, Remote Access Trojans permit de-duplication of visitors; however, the 12 (“RATs”), were also quite prevalent. RATs can be million user figure may still be a conservative es- used to steal logins and financial data, or take over timate among the Sample Group for two reasons: a user’s web cam and use it to spy on them. Below is a list of the top 10 RATs found in our scans. First, Alexa measures audiences by allowing In- ternet users to opt into a tracking panel. Many users who engage in illegal activities do not choose to TOP 10 REMOTE ACCESS opt in to the Alexa panel because they do not wish TROJANS (RATS) IDENTIFIED to have their online behavior tracked. For this rea- IN RISKIQ SCANS son, traffic to Content Theft sites, and DarkNet sites 1. XTREME RAT in general, is likely underreported. Second, Alexa 2. BIFROST tracks traffic data for only 21 percent of the sites in 3. BACK ORIFICE the Sample Content Theft Group. According to Al- 4. NJRAT exa, the sites that were tracked average more than 5. ADWIND 88 million unique users from the U.S. each month. 6. DARKCOMET 7. BLACKSHADES Given that the remaining 79 percent of sites 8. SBU7 do not have traffic figures, and further that the 9. POISON IVY non-Sample sites are not covered by this estimate; 10. CERBERUS this number is a floor, not a ceiling, for the potential users affected.

#FollowTheProfit DIGITAL BAIT 7 THE INTERNET'S MOST DANGEROUS INTERSECTION: CONTEFT THEFT & MALWARE

Malware inflicts significant harm on consumers, on advertisers, and on society in general. This section explains in words and in illustrations how the major types of malware work, and the serious problems they can inflict.

MALWARE AND ITS MANY TYPES

MALWARE Software designed with malicious intent to gain unauthorized access, collect private data, or inflict intentional damage.

TROJANS Software that installs itself without the user’s knowledge either secretly or hid- den inside a seemingly benign user action such as opening an email or web page. Most Trojans open up unauthorized access to the victim’s computer.

REMOTE ACCESS TROJANS (RATs) A particularly powerful form of Trojan that gives the attacker administrative access to the user’s computer. Hackers use RATs to steal data and control web- cams, even making videos of unsuspecting victims. For more information on RATs, see the DCA’s report Selling Slaving.

#FollowTheProfit DIGITAL BAIT 8 clickthis.com ADWARE Software designed to make money through ads targeted at the computer’s us- Free Money! ers. Adware is often installed without the user’s consent as part of another program. Adware programs can be highly invasive, running in the background and serving pop-ups to the user even when they are not browsing, and collecting their personal data in order to target them with more profitable ads. They are also frequently used for the purposes of traffic fraud. Adware can range from the benign to the annoying to the malicious. Adware detected by the anti-virus tools in this study was weighted toward the malicious end of the spectrum.

BOTNET A distributed system of Internet connected computers acting as a group at the command of a Bot controller, who directs them to accomplish certain tasks. Botnets are used to fake advertising traffic, attack web sites in Distributed De- nial of Service attacks (DDOS), and carry out spam and phishing campaigns.

EXPLOIT Software or a script that takes advantage of a computer’s security vulnerability—often with Flash or Java—to install unwanted code such as malware. Where malware is the payload, the exploit is the tool that opens the computer’s back door to install the program.

#FollowTheProfit DIGITAL BAIT 9 THREATS TO CONSUMERS Few consumers who use content theft sites, or THE DEPARTMENT OF JUSTICE whose family members use such sites, realize they have become targets for malware. And malware REPORTS THAT U.S. CONSUMERS means more than just a slow computer. An infected LOSE $24.7 BILLION TO IDENTITY computer exposes everyone who uses it—children, THEFT IN A SINGLE YEAR.2 spouses, or roommates—to the risks of being vic- CONSUMER REPORTS FOUND timized by any of a variety of criminal schemes. THAT MALWARE ALONE COSTS This study found a range of malware exploits on CONSUMERS $2.3 BILLION.3 content theft sites targeting both computers and tablets. Typically, the risks to consumers fell into three categories.

Identity Theft is the most prevalent problem. As noted in our findings, Trojans were by far the most prevalent type of malware RiskIQ found in its scans. UP TO $135 Popular Trojans such as Dyre, Zeus, Shyloc, and THE GOING RATE PER CONSUMER Ramnit are designed to steal consumer creden- CREDIT CARD CREDENTIAL tials on a massive scale. Once a consumer has in- advertently downloaded the software, the criminal ON UNDERGROUND INTERNET behind the exploit, known as a harvester, batches EXCHANGES together credentials from the same financial insti- tution, and sells them online in underground exchanges for anywhere from $2 to more than $135 per credential,1 depending on the quality. Trojan kits were once available only to highly skilled or connected cyber criminals. Today, anyone with basic web skills can find and deploy them.

Ransomware is malware that installs itself on the consumer’s PC, encrypts their files, and posts a message demanding they make a payment in $100-$500 order to regain access to their files. Typically, crim- TYPICAL AMOUNT CHARGED BY inal operators demand $100-$500 in ransom,4 RANSOMWARE OPERATORS FOR the same price as a data recovery service would charge in most U.S. cities. In June 2015, the FBI CONSUMERS TO REGAIN ACCESS reported receiving complaints amounting to $18 TO THEIR PC million in losses due to ransomware for the past year alone.5

#FollowTheProfit DIGITAL BAIT 10 Remote Access Trojans, or RATs, are a particularly potent form of Trojans that grant the controller CONTENT THEFT SITES OFFER THE full access to the victim’s device. Not only can they PERFECT VEHICLE TO DELIVER log keystrokes and collect data or files, they can MALWARE TO MAINSTREAM also access the camera. As the DCA reported in its study, Selling Slaving, hackers who run networks of CONSUMER HOUSEHOLDS. slaved devices sell video streams of men, wom- OFTEN KIDS DO THE DAMAGE BY en, boys, and girls as reality porn online to com- VISITING SITE OFFERING FREE munities of voyeurs. Also concerning is the rise of one-to-one attacks by hackers who select a victim, DOWNLOADS, LEAVING INFECTED “own” their computer, and proceed to blackmail and THE HOUSEHOLD COMPUTER manipulate them. The most common scenario is to WHERE PARENTS PAY THE BILLS take compromising pictures or capture compro- AND MANAGE BANK ACCOUNTS. mising secrets from the user’s PC. Then, the attacker threatens to publish the pictures or information on social media if the victim does not meet their demands. As noted in the findings, RiskIQ found several popular RATs, which have large distribution and are very easy to use.

#FollowTheProfit DIGITAL BAIT 11 MALWARE FRAUD SCHEMES AGAINST CONSUMERS

“THE ID SNAG” > CREDENTIAL THEFT CYCLE 1. Household members visit content theft site 2. Site downloads Trojan or “spyware” to victim’s computer 3. Spyware activates when adult members of household log in to banking site or credit card site 4. Malicious advertiser or “Harvester” grabs the consumer’s logins and sells them into underground exchanges 5. “Cashiers” buy thousands of credentials and systematically exploit them 6. Victims often find later that their bank account has been drained or systematically raided with random charges that often go unnoticed for many months

“THE RANSOM” > RANSOMWARE SCHEME 1. Household member visits content theft site 2. Site installs malware that fully encrypts the user’s files or merely posts a scare-tactic message. Some ransomware even posts fake messages about the user’s “Illegal activity,” demanding they pay a fine for downloading copy- righted media or illegal pornography. 3. Consumer must then negotiate with the attacker to pay a ransom fee to regain access to their computer and files

“THE SLAVER” > REMOTE ACCESS TROJANS 1. Household member visits content theft site 2. Site downloads Remote Access Trojan to victim’s computer 3. Attacker then takes control of the computer in order to spy on the user’s activity: »» Web cam can be turned on for a live web stream into the consumer’s private life. Access to these web streams are commonly sold in forums to voyeurs. »» Personal data can then be used to blackmail the user with threats of posting information about their private life on their own social media accounts. »» Just as with any Trojan, identity theft is always an ultimate endgame when other options are not as fruitful for the attacker

#FollowTheProfit DIGITAL BAIT 12 THREATS TO ADVERTISERS Malware distribution through content theft sites also defrauds advertisers. Double Verify, a leader in $50-$200 the ad verification business, observed in 2014 that PAY RATE PER 1,000 INSTALLS FOR A content theft sites have unique characteristics that TYPICAL MALVERTISING CAMPAIGN6 make them ideal for traffic laundering. They have high volume traffic from a valuable audience, but their objectionable (pirated) content drives away malware on their PC, they may become a part of premium advertisers. Advertising fraud schemes the massive infrastructure that perpetrates traffic offer content theft sites a way to earn money from fraud on the advertising industry. premium advertisers without those advertisers knowing their ads appeared on such sites. For the In the November 2015 report from IAB and EY, criminals behind advertising fraud, a content theft "What is an untrustworthy supply chain costing the site offers a vehicle to capture real, valuable users US digital advertising industry?”, researchers esti- clicking on ads. mated that advertisers would lose $4.4 billion an- nually to fraudulent, non-human traffic.7 From the criminal’s perspective, installing malware from content theft sites is an attractive line of More malware means more ad blocking. Ad business. Alternative money-making scams, such blocking has been on the rise since 2012, creating as phishing emails, have always been a blunt tool more obstacles for advertisers to reach their audi- for targeting, and enforcement efforts have made ence, and reducing the revenue necessary to drive them increasingly less effective. “Malvertising” cam- the creation of more sites and services. Adobe paigns, by contrast, are highly targeted and very reports that over 144 million Internet users glob- efficient. The proliferation of malware via content ally use Ad Blocking software.8 Users who do use theft sites contributes to three trends that should ad-blocking software cite privacy as their major be of concern to anyone in advertising. concern. Publishers are now reporting ad-blocking rates from 10-50 percent depending on their More malware means more bots, and more bots demographic.9 Continued headlines over identity could mean more traffic fraud. Content theft sites theft and malware infections delivered via ads will use media content to draw quality audiences to drive this advertiser-unfriendly trend. their web sites. When these same consumers get

#FollowTheProfit DIGITAL BAIT 13 HOW MALVERTISING WORKS

1. Attacker registers as an Advertiser with Self-Service Ad Platform 2. User visits website 3. User Targeting Data sent to Ad Platform 4. Impression sold to Attacker 5. Malvertisement served to Ad Platform 6. Malvertisement served to Website 7. Exploit kit loads 8. Vulnerable browser plugins discovered 9. Malware installed on User's device

MALWARE FRAUD SCHEMES AGAINST ADVERTISERS

“THE ROBOT ARMY” > HOW BOTS GENERATE FAKE IMPRESSIONS 1. Content theft sites attract mainstream population from valuable households 2. Household member’s device infected by malware that converts PC into a “bot” that browses sites in the background, loading and clicking on ads 3. Bot owner rents out household PC for fraud schemes 4. The family is left to wonder why their home PC is running so slow, while it surfs the web and clicks on ads to make money for the bot owner and criminal ad fraud schemes

“THE WASH” > MONEY LAUNDERING SCHEME 1. A criminal organization sets up web sites as a “front.” Often these are sketchy sites with cheap content—even stolen content, or sites run by “mules” who are recruited by the criminals to run ads to launder money 2. The web site operators or mules register with a sketchy ad network or advertising exchange without sufficient controls to detect traffic fraud 3. The same criminal organization that set up the web sites then runs click fraud bots to view and click on the ads 4. Web sites like content theft sites attract just enough natural traffic to avoid being detected for fraud 5. Money makes full cycle from advertiser to web sites that are usually con- trolled by the same organization. The typical revenue share to ad network or exchange and money mules is a reasonable fee for laundering the money

#FollowTheProfit DIGITAL BAIT 14 THREATS TO SOCIETY Malware not only affects individuals and advertisers. Infected computers can also be enlisted into $1,000 criminal activities that affect society at large. THE HOURLY RATE FOR RENTING 10,000 U.S. COMPUTERS ON Botnets play an essential role in the crimeware RECENTLY DISCOVERED BOTNET10 economy. Malware can convert the consumer’s PC into a “bot” or “zombie” that performs the operator’s bidding. Botnets essentially act as underground distributed computing systems for criminal operators. Spamming and Phishing clog the mail servers of the Internet and provide a major vector for malware Distributed Denial-of-Service Attacks (DDoS) distribution and credential theft. “Botted”computers disrupt consumer services by flooding a target web acting as mail servers send out emails that would site or Internet service with so many requests that it otherwise be blocked by most commercial send- simply shuts down. With rental rates from nefarious ers. Some even host phishing sites themselves to web site operators starting as low as $150, botnets avoid the obvious challenges of hosting them with are relatively cheap to use for DDoS attacks and a reputable commercial ISP. The largest docu- can exact an expensive toll on their targets. mented botnets in history have been found to infect millions of computers and send out billions of DDoS attacks are sometimes used by hacktiv- emails per day.11 ists to attack or censure governments, organizations, and publications with which they disagree. Distributed Financial Fraud is another common They are also used by criminals to extort money use for infected computers. Some bots are capable from the organizations that they target. Last but not of capturing a victim’s account login and then using least, DDoS attacks can be used to distract secu- that same computer to log in and conduct transac- rity teams and keep them busy while hackers try tions on the account to avoid detection. Because to penetrate their defenses. Security firm Incapsula the transaction comes from the victim’s own com- surveyed over 270 firms in North America between puter, it is much harder for financial institutions to 250 and 10,000 employees on the impact of DDoS detect the fraud. attacks. The average cost of an attack across all survey respondents was estimated to be about In summary, botnets provide criminals with the $500,000. For a sense of how individual firms can infrastructure to wreak havoc and mischief on the be affected, technology firm Neustar offers this Internet community at large. For the consumer, the DDoS cost calculator. DDoS attacks continue to be most obvious effect of botnet software is a slow a tremendous cost to the private sector in terms of computer, but participating in a botnet unwittingly money, jobs, and productivity. assists criminals to defraud other consumers. Con- sumers who host bots unwittingly become a part of a global network of computers that are the underpinning of many cybercrime schemes.

#FollowTheProfit DIGITAL BAIT 15 MALWARE FRAUD SCHEMES AGAINST SOCIETY

“THE SHAKEDOWN” > DISTRIBUTED DENIAL OF SERVICE EXTORTION AND CENSORSHIP 1. A criminal organization contacts the target organization and warns them of impending Denial of Service (DDoS) attacks if they do not cooperate. For online publishers and public-facing organizations, the demand may be po- litical in nature. For corporations, the demand may be for money. 2. If the organization refuses to cooperate, the extortionists stage a DDoS attack by renting a botnet service to provide the computing power 3. Depending on their security posture and resources, the target will experience down time on their public site in the worst case, or a financial loss of computing and human resources

#FollowTheProfit DIGITAL BAIT 16 UNDERSTANDING THE “CRIMEWARE” ECONOMY

At the heart of content thieves’ efforts is criminal underground economy are the online chat forums, exploitation of both the creator and consumer of where criminals buy and sell their wares. These fo- pirated content. rums can range from specialized “carding forums”— where criminals purchase or sell stolen credit “Crimeware” refers to software written for the cards—to full-fledged e-commerce sites. Before purpose of these criminal enterprises. To under- it was taken down, Silk Road made millions con- stand how it works and how such an operation can necting sellers of illegal drugs to interested buyers. achieve scale, it is important first to understand the In the post-Silk Road era, sites have emerged that basic infrastructure of the economy underpinning sell illegal and dangerous items all on one site—in- the Internet criminal underground that has devel- cluding illicit drugs, personal financial information, oped over the past fifteen years—which Digital Citi- weapons, and malware. zens calls the crimeware economy. As of August 2015, there were about 47 such on- THE DARKNET line markets.14 The majority of these sites are in the The DarkNet is the term commonly used to describe English language. There are also markets in French, the criminal underground that operates online out- Finnish, Italian, Polish, and Russian.15 A single card- side the public eye. It is made up of private forums, ing forum can have as many as 13,000 members “friend-to-friend” private networks, and anonymous with 4,000 daily visits and 20 sub-forums covering networks such as Tor that enable criminal activity a range of topics such as online security, tutorials, without fear of being identified. In that underground, carding, botnets, web design, and money launder- criminals buy and sell illegal wares including stolen ing.16 It is in these underground markets that hack- credit cards, personal information, drugs, and hu- ers peddle malware, exploits, botnets, etc. man trafficking. Payments are made using anonymous payment methods such as Bitcoin, Litecoin, THE PROFESSIONAL HACKER and Ripple12 that cannot be traced by law enforce- Modern hackers are professional, organized, and ment. In this environment, criminals have operated monetarily motivated. According to Marc Good- with impunity since the early 2000s. In the DarkNet, man, author of Future Crime, 80 percent of hackers there is a thriving market for crimeware. are affiliated with organized crime.17 As Goodman points out, this radical shift has led to the creation INSIDE THE DARKNET of increasingly sophisticated criminal organizations The DarkNet costs economies around the globe that operate with the professionalism, discipline, more than $300 billion per year.13 At the heart of the and structure of legitimate enterprises.

#FollowTheProfit DIGITAL BAIT 17 CRIMEWARE SPECIALIZATION ize in developing the malware that is installed on Like any market, the crimeware market has evolved consumer devices and sell it on the web. Another to reflect a division of labor. Within the DarkNet are organization will be responsible for distributing and dozens of unique product and services categories. installing the malware on consumer PCs or mobile Anyone from professional criminals to nation states devices. A third group that runs a forum might also can purchase Trojan malware, Exploit kits/packs, or purchase stolen consumer credentials and resell services such as dedicated hosting or Distributed them in the DarkNet. The ultimate buyer of the Denial-of-Service attack services.18 Many of these credentials plays the role of cashier to collect cash products and services come complete with service from the credentials by actually exploiting the bank agreements and money-back guarantees. or credit card accounts. Because of the role the DarkNet plays in facilitating anonymous communi- The DarkNet allows individual hacking groups to cation, none of these specialized groups ever has specialize in specific categories and to earn money to meet one another. This enables a very efficient for delivery of goods and services to other crim- market for crimeware developers and distributors. inals. For example, one organization may special-

#FollowTheProfit DIGITAL BAIT 18 PROFILE OF A CRIMEWARE DISTRIBUTION NETWORK

To better understand the economics and working the payout per user for the affiliate can be as high as relationships behind a typical crimeware distribu- $25 for each victim that ends up paying the ransom, tion network, RiskIQ sent covert agents into the which (as noted above) is typically $100-$500. DarkNet to research organized malware programs that exploited the content theft sites in the sample The PPI affiliate programs work in two ways: sites scanned in the earlier part of the study. hosting models and traffic models.

CRIMEWARE AND AFFILIATE PROGRAMS In a hosting model, the program provides the ma- Affiliate programs are the primary vehicle for licious download to the affiliate and relies on the affil- spreading programs like malware and adware via iate to generate installs. This means the affiliate is re- content theft sites. These programs are a common sponsible for (1) hosting the install, (2) creating a lure model in the advertising world. Typically, a malware to trick people into downloading it (such as codecs), publisher or affiliate joins an ad network that re- and (3) generating traffic to the download location. wards them on some type of “pay for performance” model. The two most common models are “Pay- Generally speaking, these types of programs are Per-Click,” where the advertiser pays an affiliate sophisticated and tightly guarded. For instance, a publisher for each user click on an ad, and “Pay-Per- program run by one of the world’s top spammers Action,” where the advertiser pays for a specific ac- will re-package their malware every few hours in tion such as filling out a form or making a purchase. order to avoid detection by anti-virus software. The In the world of advertising, there is a range of affil- affiliate is then responsible for constantly refreshing iate networks, some with high business standards, the install if they want to avoid having it flagged by and some that operate in gray areas. It is typical for anti-virus software. In fact, this malware affiliate pro- less reputable affiliate networks to offer same-day- gram is so strict that affiliates hosting old execut- payouts, which enable participants to join, engage able files that were flagged by anti-virus software in a questionable advertising campaign, and leave are expelled from the program. This particular pro- with their money in the same day. In the criminal gram is advertised only in Russian-language un- underground, crimeware distribution campaigns derground forums open only to vetted individuals; are commonly referred to as “Pay-Per-Install” (PPI) even then, the potential affiliates must also prove campaigns because they pay out for every mal- they have the ability to deliver traffic. ware installation that the publisher delivers. The traffic model, by contrast, relies on the affili- Affiliate programs offering a PPI model can pay ate to drive traffic to the page hosting the install that as little as five cents per install to as much as $2. was created by the program. Most of the affiliate For malware that involves secondary conversions, programs RiskIQ observed fell into this category. there is an additional source of revenue after the Media-related traffic is delivered via redirect links, user installs the malware. These include such popups and popunders. Most offer a movie down- schemes as Fake Anti-virus or Ransomware, where load as the lure to get consumers to unwittingly in-

#FollowTheProfit DIGITAL BAIT 19 stall an executable malware file. Each affiliate web Advertising Underground, which appears to be site is compensated for every malware install com- based in Russia, has a strong reputation and is pleted. recommended in the Russian underground community, because it pays out its affiliates in a timely The malware RiskIQ observed from these sourc- manner and converts traffic to installations at a high es tend to be adware or bloatware, which monitors rate. Advertising Underground mainly installs tool- traffic and slows down machines. And since many bars, torrent download clients, and games, which of these programs are for actual user-prompted are generally associated with adware, though more downloads, the operators also have the ability to trusted affiliates of Advertising Underground could control what people download, which can lead to be given sites with more malicious and lucrative in- more severe infections. stalls like ransomware.

HOW ONE AFFILIATE PROGRAM WORKS Advertising Underground’s program manag- RiskIQ identified one program in particular that was ers have acknowledged that it is involved in the very popular within the content theft community. spread of adware and other malicious programs. To protect sources, it is referred to it as Advertising When asked if VirusTotal—a leading malware and Underground (not its real name). anti-virus platform—will detect their malware, they respond that they frequently “clean” or repackage Advertising Underground was found in RiskIQ’s the installs to evade antivirus detection, just as the scans of content theft sites. It has been around affiliate program discussed above did. since 2009, a very long time for such a program, which is a testament to its durability and quality, Advertising Underground operates both in the En- and has been drawing a lot of attention lately in the glish and Russian languages and offers support and Russian underground. As is the case with other af- a personal manager. Potential affiliates are required filiate programs, Advertising Underground has used to contact them with their web sites and eventually different names and guises since 2009, which helps prove that they can deliver traffic. Following a chat it fly under the radar of law enforcement. over ICQ or Skype to vet potential affiliates, the affiliate must then prove their ability to deliver traffic to Advertising Underground.

#FollowTheProfit DIGITAL BAIT 20 »»Advertising Under- ground registration page

»»Torrent downloader from Advertising Underground using Captain America (in download box on the far right) as an enticement to install the program.

#FollowTheProfit DIGITAL BAIT 21 PAYOUTS However, some installs, such as the torrent Advertising Underground pays for each application downloader client described below, will earn an af- installed and appears to operate a traffic model. So filiate up to $2 per download. RiskIQ observed this it will provide the page with the install to which the download in the crawls as spottyfls.com, and it was affiliate drives traffic. They are not concerned with tied to the general-catalog.com home page. how the traffic is delivered to the page, except they explicitly prohibit spam traffic. The spottyfls.com torrent downloader is classified as adware by VirusTotal, and, since it controls Advertising Underground claims a conversion the users’ results, could be used to download more rate of 1 download for every 7 visits, and will pay 10 malicious programs in the form of torrents. cents U.S. per install in countries within the Com- monwealth of Independent States and up to 20 cents U.S. for installs in Western countries.

»»Screenshot of Spottyfls.com

»»VirusTotal Results for Spottyfls.com

#FollowTheProfit DIGITAL BAIT 22 AFFILIATE EARNINGS In one of the underground forum threads, one of According to Advertising Underground’s claims, one the affiliates claimed that Advertising Underground arm of Advertising Underground supposedly has generated 30,000 installs a day for him. Below are generated more than 150 million worldwide installs statistics from several users, whose earnings are since 2012 and is said to have paid out $12 million $200-600 a day from the affiliate program. to affiliates. Advertising Underground’s payout vehicles are Advertising Underground has been observed a further testament to their criminal purpose. Pay- reaching out to other pirated media sites that were ments to affiliate are only available via (1) WebMon- in the list of Sample Content Theft Sites to direct ey, which is one of the de facto means of payment traffic to theAdvertising Underground’s sites. in the criminal underground, (2) Epese, a Russian anonymous payment program, or (3) Western Union/MoneyGram.

»»Sample Advertising Un- derground chart showing payments to affiliates

»»Advertising Under- ground statistics 2

#FollowTheProfit DIGITAL BAIT 23 REVENUE MODEL

To better understand the incentives for distributing level of carryover in users across sites; however, Al- malware on content theft sites, RiskIQ calculated an exa does not measure de-duplicated visitors. estimate of the potential revenues these sites earn from malware. ESTIMATED INSTALL RATE It is difficult to estimate the actual install rate for PAY-PER-INSTALL RATES these malware exposures, as not every user’s sys- Estimates of Pay-Per-Install rates range widely in tem is vulnerable in the same ways, and not every crimeware research. Trend Micro found that the user clicks on the lure for user-initiated installs. In Russian Underground paid a range of 5-20 cents RiskIQ’s underground research, it found that the U.S. per install, depending on the target country.19 program profiled claimed a 1 in 7 conversion rate In RiskIQ’s research into Pay-Per-Install Programs, for traffic (15 percent). Therefore, RiskIQ used this it found an active affiliate campaign with typical number for the purposes of estimating revenue. mid-tier content theft sites offering 10-20 cents per install. The program profiled was well reviewed by REVENUE FROM MALWARE third party users, not just its own web site, and had Once malware is installed, there are ongoing ser- been in existence for some years. So, for the pur- vices that add to the total lifetime value of the poses of this model, RiskIQ used 15 cents as a con- malware installation. Consumer credentials har- servative average Pay-Per-Install rate to estimate vested by Trojans can be sold for $20-45 per user revenue. (although less than $10 if the market is flooded or the credentials are stale).20 Botnets can be rented ESTIMATED MALWARE EXPOSURES for up to $1,000 per hour for 10,000 U.S. comput- The subset of the 800 content theft sample group ers.21 Lastly, as mentioned earlier, Symantec found sites for which visitor statistics are available on Al- that the typical charge for a Ransomware clean up exa (n=229) average over 88 million U.S. users per is $100-$500.22 For the purposes of this study, Risk- month. Taking into account the sites’ average mal- IQ focused exclusively on the money earned from ware exposure rates indicates that an estimated 12 malware installations through content theft sites, million U.S. users were being exposed to malware not on the add-ons. each month from these sites. There is likely some

#FollowTheProfit DIGITAL BAIT 24 ESTIMATING POTENTIAL MALWARE-RELATED REVENUE Combining these estimates leads us to calculate that the operators of the sample of content theft sites studied with Alexa visitor data (n=229) are generating roughly $3.3 million in revenue per year:

12.2 MILLION Monthly U.S. Users Exposed to Malware (for Sample Group Sites with Alexa User Data) X 15 PERCENT Estimated Install Rate X 15 CENTS Pay-Per-Install Rate

= $274,500 Monthly Revenue = $3.3 MILLION Estimated Annual Revenue

This estimate has some limitations as previously described, but is within range of similar research studies on the economics of malware. For example, in 2012, Symantec found a group of sites running Pay-Per-In- stall malware campaigns where the top site was earning more than $200,000 per year. This figure is in line with the data from our study, where only three exceptional sites are estimated to earn more than this figure.

Again, our estimate above is only for a small sample of sites. There are 4,865 sites in the Google Trans- parency Report that received 1,000 or more copyright infringing URL removal requests in the year pre- ceding this analysis. Projecting the earnings from the 229 sites in the sample group to this broader universe suggests that these content theft sites may be generating roughly $70 million in revenue per year:

($3.3 MILLION Estimated Annual Revenue for 229 Sample Group Sites ÷ 229 Sample Group Sites) X 4,865 Sites w. 1,000 or more copyright infringing URL removal requests in the past year

= $70 MILLION Estimated Annual Revenue

These assumptions are conservative in two respects. First, they do not take into consideration malware income from any of the many thousands of content theft sites that receive less than 1,000 notices per year. Because the malware rates across content theft sites are relatively constant regardless of size (7-9%), this may be a considerable sum. Second, they do not take into consideration the “add-ons” that content sites can earn from peddling malware.

While this is a rough estimate limited by the lack of comprehensive visitation data, it is easy to see that malware and content theft work together as a big business for the organizations behind them. Add to this estimate the obvious potential for additional revenue once the malware is installed, and it is easy to see that this is an industry that can generate hundreds of millions of dollars for the criminals behind it, at the expense of consumers, advertisers, and society.

#FollowTheProfit DIGITAL BAIT 25 CONCLUSION

For the last two decades, content theft has largely But the consumer who goes to a content theft site been an issue for creators who were denied com- is paying someone—not the creator of the content, pensation and credit for their work. But RiskIQ’s re- and not just money—they may also be giving up search has revealed that cybercriminals have ex- their user identity, access to their financial informa- panded the group of victims to include the hundreds tion or control of their computer. It’s a great deal for of millions of Internet users who go online each day the cybercriminal, and it leaves millions of Internet looking for high-quality content free or cheap. users victimized and wondering “what happened?”

By dangling such content as bait, criminals lure It is not fair or reasonable to expect Internet users in unsuspecting users and infect their computers. to understand all these risks because the Internet is In doing so, these criminals are exploiting a lack of an impossibly complex ecosystem. But it does un- understanding and awareness among users about derscore the importance of education campaigns the risks that visiting shady websites can pose. to raise awareness about the threats and how to avoid them. There is an adage from the Watergate era: “Fol- low the money.” It is clear why cybercriminals have This report should compel law enforcement au- targeted consumers. They present an enormous thorities to devote more attention and resources to potential windfall to scam and cheat. And it can be tracking and apprehending global cybercriminals done relatively inexpensively through malware and who operate in the shadows and put so many Inter- other viruses. net users in harm’s way.

Over the last few years, significant breaches in And it is incumbent upon our leading digital plat- the customer databases of high-profile companies forms and financial facilitators to ensure that they have created greater awareness about the need for are not aiding cybercriminals. That means chok- cyber security. The threat of content theft and mal- ing cybercriminals at their key points: how they are ware must be part of that conversation. found (search engines) and how they bank their ill-gotten gains. For consumers, it comes down to another adage: “If it seems too good to be true, it is.” The delivery With this report, Digital Citizens hopes to help of content—whether radio programs long ago or Internet users—even those who have no care or movies and TV series and sports now—has always respect for creators who are victimized by con- been based on some transaction that provides a tent theft—understand that there are more victims reward for the content provider—that is the creative than they may think . . . and some of them are incentive, and was most frequently funded by ad right there in the mirror. revenues or a monthly subscription payment.

#FollowTheProfit DIGITAL BAIT 26 ABOUT DIGITAL CITIZENS ALLIANCE

The Digital Citizens Alliance is a nonprofit, 501(c)(6) organization that is a consumer- oriented coalition focused on educating the public and policymakers on the threats that consumers face on the Internet. Digital Citizens wants to create a dialogue on the importance for Internet stakeholders— individuals, government, and industry—to make the Web a safer place.

This is the fourth report in which Digital Citizens has studied content theft sites. In 2014 and 2015, Digital Citizens released its “Good Money Gone Bad” reports looking at the revenues of ad-supported content theft websites. Also in 2014, Digital Citizens published “Behind the Cyberlocker Door: A Report on How Shadowy Cyberlocker Businesses Use Credit Card Companies to Make Millions” which broke down the profits and operating costs of the largest cy- berlockers.

Based in Washington, DC, the Digital Citizens Alliance counts among its supporters: private citizens, the health, pharmaceutical and creative industries as well as online safety experts and other communities focused on Internet safety. Visit us at digitalcitizensalliance.org.

#FollowTheProfit DIGITAL BAIT 27 ABOUT RISKIQ

OUR MISSION RiskIQ solves the problem of collecting and analyzing Internet-scale data. It enables security teams to expand their security program outside the firewall. Our technology addresses the growing challenge of external threats targeting the enterprise, its customers and employees.

RiskIQ is designed to detect threats that corrupt the core tenets of the In- ternet—the principles of open standards and information sharing—to extort, scam, invade systems and infect its users. Our mission is to provide web-scale detection to the people responsible for protecting their business against the threats that exist outside of the firewall.

OUR STORY From the beginning, RiskIQ sought to solve the complex issues security professionals face. RiskIQ saw firsthand how the emergence of the Internet as the primary place for companies to do business also made it the ideal launch- ing pad for malicious attacks. As security professionals build up their firewall technology in an effort to shield their companies, their greatest vulnerability continues to be outside the firewall, on the Internet, where their web sites and apps live.

At RiskIQ, we’ve taken a unique approach to security by creating a user-emulating security management technology that monitors the entire web and mobile attack surface from the outside in. We’re the only company that sees the Internet from the perspective of the browsing public. Our intelligent software outwits the smartest adversaries by seeing what traditional malware scanners can’t—even the assets our customers did not even know existed.

By empowering security teams with the ability to see what their web and mobile assets are currently serving to the public from the perspective of their users, organizations can take control of their security program outside their firewall.

At RiskIQ, we believe that knowing is the best defense.

RiskIQ was founded in 2008 and is based in San Francisco.

#FollowTheProfit DIGITAL BAIT 28 APPENDIX

APPENDIX ITEMS List of Sites in Study

CONTROL Alexa Sites fin-5.ru pray-as-you-go.org starwoodhotels.com akita-pu.ac.jp flydata.com premiers.ae storefeeder.com al-7up.com forever21.co.kr presentation7.com studential.com altaif.org francecars.fr pro-touring.com submitrelevantsites.com anvelope-autobon.ro freesearch.co.uk progressplay.net surveyexpression.com artinsight.co.kr garden-garden.biz pronostici-oggi.it syx.com atastylovestory.com ggsupplies.com purewatercare.com tabiulala.com avforums.com giethoorn.com radiusbank.com teamlbi.net betpasnews.com gongye360.com real-sex-partners.com telepacific.com bilgievi.gen.tr healingxchange.com redwoodhill.com thebittersideofsweet.com bmwe34club.com hepsi1arada.com reinsightdata.com thecloudoffers.co.uk bogds.in herbalife.com.tw resepmasakanpedia.com tintint.com bossmp3.mywapblog.com homespakistan.com rheinbahn.de torturegalaxy.com bursarestaurant.com hotelhotel.com rsipa.net tritmonk.com buygoldandsilversafely. intermonitor.ru rv-max.com tuljo.com com irananimations.ir sacem.fr tungstencopper.net cesegypt.com iranmilre.com saji.my twistyscash.com cheki.com.ng kiabi.nl samotur.ru uchealth.org chinacmb.com.cn kinkireins.or.jp scarcitybuilder.com uninsubria.it comfiibags.com kinoboh.ru selcukecza.com.tr unioneprofessionisti.com comtalks.com lorraine.eu selector-wixoss.com universalsewing.com coolmath.com mailtester.com sengokuixa.jp urbanwearables.technol- corlad-piura.com manastir-lepavina.org shairy.com ogy corobori.com michoacaninformativo.com shivkhera.com urlaubmachtspass.com cyprustimes.com miragro.com shopazamerica.com.br urpitrek.com dahlias.com moneysoldiers.com shopsomething.com uzeyirdogan.com daily-news.it murahstore.com shopxml.com/user/or- viel-unterwegs.de digimantra.com muskiportal.com der_stat vlogit.fi diskonaja.com netflixroulette.net showyu.net.cn vodovoz.ru dls.ua optionpipsincome.com skidkimira.ru weac.org domainsa.com paavai.edu.in sluhealth.org wenxuecity.com ecosupp.co.il parkson.com.my smaatware.com wetshop.com.br eropartner.com pharmaceutical-equip- smartben.com wholesaletrade.co.in essence-beautyfriends.eu ment.com sneak-a-venue.de wikipower.ru etradebill.co.kr phpstate.com snu.kr worldlink.com.np extremetube.com poimap.com softicons.com wpteq.org eyecancer.com popmech.ru solar-eyes.net yquem.fr fbf.org.br portaldefacturas.com sosyalreklamci.com zdravnsk.ru febalcasa.com postroiv.ru spring.me

Where to Watch Sites cbs.com fan.tv hgtv.com acorn.tv cc.com fandor.com history.com adultswim.com cmt.com filmfresh.com hitbliss.com aetv.com crackle.com flixhouse.com hulu.com amazon.com cwtv.com flixster.com imdb.com animalplanet.com daystar.com fox.com indieflix.com apple.com directv.com fxnetworks.com indiepixunlimited.com bet.com dishanywhere.com gowatchit.com instant.warnerarchive.com blockbusternow.com disney.com guidebox.com jaman.com bravotv.com dramafever.com hallmarkspiritclips.com jinni.com cartoonnetwork.com epixhd.com hbogo.com kidoodle.tv

#FollowTheProfit DIGITAL BAIT 29 livewellnetwork.com paramountmovies.com syfy.com verizon.com locatetv.com pbskids.org targetticket.com vh1.com maxgo.com play.google.com tbs.com video.pbs.org mediatogo.thewb.com playstation.com televisor.com videostore.bhn.rr.com mgo.com popcornflix.com tntdrama.com viewster.com movies.com qello.com toysrus.com vudu.com movievisor.com reelhouse.org trutv.com watchi.ly mtv.com shoutfactorytv.com tubitv.com watchitstream.com mubi.com showtimeanytime.com tv.com wolfeondemand.muvies. mylifetime.com smartreplay.com tv.esquire.com com nationalgeographic.com snagfilms.com tvguide.com yeahtv.com nbc.com sonyentertainmentnet- tvland.com yidio.com netflix.com work.com us.cinemanow.com youtube.com nextguide.tv spike.com usanetwork.com zap2it.com nick.com starzplay.com uverse.com

SAMPLE CONTENT THEFT GROUP

- Notorious Markets - ex.ua myfreemp3.cc torrentz.in 4shared.com extratorrent.cc myfreemp3.eu torrentz.me baixeturbo.org filestube.com nakido.com tucows.com bajui.com free-tv-video-online.me novamov.com uploaded.net beemp3.com free-tv-video.me nowvideo.sx vk.com bitsnoop.com gigabytesistemas.com putlocker.is vkontakte.com catshare.net gosong.net rapidgator.net vmusice.net chomikuj.pl hardstore.com rapidlibrary.com weblagu.com cuevana.tv kickass.to rutracker.org yts.re darkwarez.pl molten-wow.com seedpeer.me zimuzu.tv downloads.nl mp3juices.com thepiratebay.se zing.vn e-nuc.com mrtzcmp3.net torrentz.ch zippyshare.com elitetorrent.com muzofon.com torrentz.eu

1) Top 3rd GTR bayproxy.org extabit.com freemp3like.com 2download.org baytorrent.eu extendify.com freemp3x.com 2shared.com bittorrent.pm extratorrent.com fullsongs.net 3k0.me blupaw.net extratorrent.ee general-files.com 4fun.cc brmlab.cz fattylewis.com genteflow.com 4shared-musica.com bthunter.org fenopy.eu getpirate.com 4shared.net cloud-vibe.com file7file.com gooddrama.net 5gg.biz come.in filecatch.com grooveshark.com 5mp3.org condorr.at filehound.co.uk h33tmirror.co 88torrent.com datafile.com fileom.com h33tunblocked.co adobetorrentz.berlin deliciousmanga.com filepost.com hdspot.net alexandrebonhomme.fr demonoid.ph filesborn.com hellshare.com all-torrents.eu demonoid.pw fileshark.pl hotfilesearch.com allmyvideos.net dizzcloud.com fileshut.com houndmirror.com animea.net dl4all.com filesonic.com hugefiles.net arnaudcornu.com dotpirate.me filesonicsearch.com hulkshare.com baseofmp3.com download-music.lt filesoup.com ilikerainbows.co battleit.ee downloadnow.net firedrive.com index-of-mp3.com baymirror.com downloadonlinemp3.com forumophilia.com irfree.net bayproxy.com downloadunit.com forumwizard.net itemvn.com bayproxy.me drumscum.be free-albums.net kat.gs bayproxy.nl emp3world.so freemp3in.com kat.works

#FollowTheProfit DIGITAL BAIT 30 kat.yt mp3-vip.org piratenpartij.nl torrentbit.net katmirror.com mp3c.cc piratepc.org torrenticity.com ketomob.com mp3facebook.com pirateproxy.net torrentkitty.com kickass.pw mp3forte.com pirateproxybay.org torrentportal.com kickass.so mp3joy.net pirati.cz torrentproject.org kickasstor.net mp3juices.to planetsuzy.org torrentproject.se kickasstorrent.rocks mp3sale.ru poisk-mp3.com torrentz.ms kickasstorrents.com mp3searchy.com proxicity.info torrentz.to kickasstorrents.in mp3sfinder.com proxy-bay.com tosarang.net kickasstorrents.link mp3skull.fm proxybay.ca tpb.gr kickasstorrents.rocks mp3stahuj.cz proxybay.de tpb.lt kickassunblock.com mp3truck.com proxybay.in tpb.me kickassunblock.info mp3tx.com proxybay.link tpbpirate.tk kickassunblock.net mp3vip.org proxytank.com tpbproxy.eu kset.kz mp3wm.com quluxingba.info tpbunblocked.me kuiken.co mp3ye.eu rapid4me.com tv-shuffle.ch labaia.in mp3yeah.com readmanga.eu uhd-downloads.eu lanunbay.org mp3ylp.com readpanda.net ulub.pl limetor.com musicaddict.com rnb4u.in unblocked-piratebay.com livepirate.com musicatono.com rootmob.org unblocked2.bz lumfile.com mybay.pw sciagara.pl unlocktorrent.com majaa.net myfree.cc searchdepositfiles.com uploadable.ch mangabase.co myfreemp3.biz sharedir.com uploading.com mangable.com myfreemp3.co skit.org.ua uptobox.com mangabro.com myfreemp3x.com sockshare.com vemium.com mangaeden.com myfreesongs.cc songs.to vibe3.com mangago.com mymp3site.cf su7.info vibeclouds.net mangahit.com mypiratebay.cl sumotorrent.sx wapdam.net mangajoy.com no-ip.biz teluga.com waptrick.io mangapark.com noflag.org.uk thedutchbay.nl warez-bb.org mangapark.me nowvideo.eu thegorillanetwork.com warezrocker.info mangasee.co oostingwebdesign.nl thehotfilesearch.com watch-series.ag mangasee.com org-proxy.com thepiratebay.hk watchtvseries.ch mangasky.co piratebay.me.uk thepiratebay.org.es wbruder.eu mangatank.com piratebay1.com thepiratebay.uno welovetpb.com mangawindow.com piratebayalternate.in thepromobay.co.uk worldoffiles.net mediafiredownloads.net piratebaybyproxy.com tinydl.com wrzuta.pl mnova.eu piratebaymirror.me tnttorrent.info wupload.com monova.org piratebaysafe.me topboard.org zamob.com movie2k.to piratebayunion.com torrent.pm zwarez.net movie4k.to pirateflix.info torrentbar.com

2) Middle 3rd GTR aodown.com byte.to downvv.eu 0daydownloads.com asfile.com comfishfilmfest.com easybytez.com 100500mp3.com astroddl.com crazy-manga.com egexa.re 100torrent.com audiocastle.net crocko.com egotorrent.com 1080p-torrents.info audiovhod.net daclips.in egydown.com 4songs.pk bayproxy.net dadazee.com epubbud.com 720p-torrents.org baytorrent.nl dailymotion.com esmangaonline.com 720pdownload.net bestliens.com dbpotato.net esoft.in 720pdownloads.eu big.az ddlstorage.com etorrent.co.kr 7797.info bloglovin.com demonoid.mk eval.hu a6point.net boerse.bz desirulez.net exashare.com alquz.com booksee.org dmart.vn expresshare.com anime-media.com btbook.net downturk.biz extratorrent.be animehere.com btstorrent.so downturk.net eyeonmanga.com

#FollowTheProfit DIGITAL BAIT 31 fastshare.cz linkforums.com music-bazaar.com subscene.com fc2.com manga2u.co musica-descargar.net telecharger-tout.com filecrop.com mangababy.com musicov.net thebay.ws fileprox.com mangahere.com muz-muz.net thebestfiles.net filesloop.com mangapill.com muzbaron.com thefastbay.com finz.ru mangaru.me muzico.ru thefile.me floads.com mangasee.me muzikfiendz.net thehydra.ru freedisc.pl mangatown.com muzofun.net thepiratebay.asia freedl2u.me mcanime.net muzogig.net thepiratebay.to freemp3.fm menthix.net muzonka.com theproxybay.net freemp3go.com mertada.com mypirateproxy.com thevoidgroup.co.uk freemuzichka.com mfile.org myvi.ru tinydl.eu freshwap.net miloman.net myzlo.info tmanga.com fullhd-download.net mixpromo.ru nexusddl.com tnt24.info general-catalog.com mixupload.org nhaccuatui.com tobrut.com general-file.com mmangareader.com nyaa.moe torrentba.com go4up.com mngacow.com onlinepk.net torrentcd.org godht.com mobiles24.com onmanga.net torrentdownloads.ee gratismp3x.com mobiletorrents.in ororo.tv torrentplay.org haobt.net monovaproxy.com pfv.xyz torrentroom.net hipfile.com mp3-center.org piratebaymirror.net torrentsdownload.eu host4file.net mp3ale.biz pirateparty.be torrentszona.com hotnewhiphop.com mp3bon.com portalxd.com torrenty.pl hunt4tunes.com mp3chunk.com precyl.com torrentz.cc icyboy.com mp3clan.nl primewire.ag torrentz.com interflective.com mp3crop.net proxypirate.eu torrentz.hk isohunt.rocks mp3crop.org readingmanga.com torrentz.mx isohunt.tf mp3cube.net readmanga.today torrentz.st isohunters.net mp3dict.com reptilesound.com torrindex.info isohuntproxy.net mp3enter.net rghost.net tpbproxy.nl isotorrentz.net mp3fil.info rockdizfile.com tubeplus.me iuvip.com mp3fire.me rus.ec tubidymp3s.com jetdl.com mp3ili.net rutube.ru tunisia-forum.com just4freeplanet.com mp3kiss.com sceper.ws ultimatez.net kat-proxy.net mp3lemon.ws scnsrc.me umorina.info kat.tf mp3limon.info searchizz.com unb7.com katmirror.link mp3limone.net searchonzippy.com unblocked.bz katproxy.co mp3oak.com seed2peer.com unblocked3.co katproxy.link mp3poty.com sharedmusic.net uploadc.com keep2s.cc mp3ska.com sharesix.com upstore.net kenitra.biz mp3skull.co sharingforums.net uyurgezer.net kickass.casa mp3skull.im sis001.com vibecloud.net kickass.rip mp3songspk.pk smartorrent.com waptrick.mobi kickassbittorrent.link mp3strana.com solarmovie.so waptrick.us ladytorrent.org mp3troll.com solidfiles.com xoofoo.org libgen.info mp3tusovka.com soudoc.com xtragfx.com limetor.org mp3world.mobi stagetorrentz.ru your360stop.com limetorrenturl.com mp3xd.com stop-mp3.com zimabdk.com linexdown.net mus.ge submanga2.com

3) Bottom 3rd GTR 1080p-torrents.org 40mp3.com 7dayz.org 1080p-download.eu 1080p.casa 720p-download.eu 7ibt.com 1080p-torrent.casa 1080ptorrents.casa 720p-torrent.info abu.se.net 1080p-torrent.ml 2drive.net 720p-torrent.net adamp3.com 1080p-torrent.work 3asq.com 720p-torrents.info adqtzf.org 1080p-torrents.eu 3tig.com 720ptorrent.net anime-sub.com

#FollowTheProfit DIGITAL BAIT 32 anime4fun.com euro-share.com melodycenta.com solarmovie.is animecrazy.net extremefile.com mixmp3.net songily.com animefactor.com exvagos.com moodyz.org songsko.com animeflicks.net fastpic.ru moviedox.org sooshare.eu animeget.com fileboom.me moviestorm.eu stagetorrents2.net animeonhand.com filedust.net movshare.me studentsharez.com animesnipe.com files2share.ch mp3boo.me submanga.com animesstream.net filespr.net mp3juices.is super-mp3.com animexhibit.com filesresidence.com mp3mixx.com symbianpinoy.com animez.ws filezoo.com mp3s.vet syria4soft.com ant3rame.com filmovizija.com mp3sk.org t411.io anysoup.ru foundsuccess5.ru mp3time.com taobao.com ardent-desire.com freetorr.com mp3title.com the-proxy-bay.com audioz.eu full-hd-torrent.org mp3tridi.com thedarewall.com bato.to full-hd.link multifilesfind.net thegamepirate.com bestsoftfull.com gfx4you.com music22.net themusicbay.com bitseek.eu gfxmore.biz music88.net thepiratebay.click bluemirrow.com golink.org musicville.fm thepiratebay.de.com bmp3z.com goodanime.net myanime.me thepiratebay.vu boardmp3.com gratispeliculas.org mydnspro.net theresistanceseries.com bt-chat.com grifthost.com myfreesong.eu theunblockedbay.info btku.org hd-torrent.link narutomanga.cz thisdown.org bucketgnome.com hdtorrent.info niceoppai.net tohari.com burning-seri.es hol.es nntt.org tor-finder.org byhero.biz hotne.ws nowdownload.at torcatch.net cloudyvideos.com hydrabay.net nowvideo.co torhub.net comeze.com iamtherealnick5.ru nulledweb.com torrentcrazyunblocked.co cryptostorm.is igla-msk.ru onepieceanime.net torrentino.ru cyberpirate.me imagefap.com onepieceofbleach.com torrentz.la czshare.com imastudios.com oyuncehennemi.com torsky.org depiratenbay.be imgserve.net oze.wang torzila.com desitvforum.net indiahdtv.com pantipnews.com turkoplus.biz devxstudis.org jackmp3s.com partidopirata.com.ar tz.ai dilsekerodosti.com jjkko.cc pinoyanime.tv unbanthe.com directbigboobsreloaded. jopterhorst.nl piratebaytorrents.info unblocked.casa net justseries.tv pirateproxy.link uploadboy.com djlist.org kat1080p.net playgoogle.name uploadto.us dl4all.ws katzzz.com poiskmp3.org userscloud.com dl4hot.com kickass.pm portalnet.cl videoweed.com dlbot.net kickasstorrents.agency pp22pp.com vincent-shorette.com dltobe.cc kickasstorrentz.net purevid.com vitorrent.co dltobe.me kimsufi.com putlocker.ws vn-zoom.com docin.com kinokopilka.tv rapidareena.com vodly.to downdlz.biz krazymp3z.com rapidmoviez.org wallovenswarmingdraw- downdlz.com lagukane.com rapidpich.ir ers.com downloadtorrent.me lecture-en-ligne.com rbt.xyz warezforest.com downmusicas.net lekud.com redbunker.net websitedesignecom- downserv.com leuyvo.info rsmoviedownloads.com merces.com dvdrip.casa link2dwn.com scamfraudripoff.com wootmanga.com e2u.me link4file.com scaminformer.com worldofscan.info easy-share.com linkfiles.nl seasonwars.com wtorrent.org ebooklink.net linkleak.se seed2peer.us xvidstage.com egyptfans.net live-down.com sfshare.se yadisc.ru elakiri.lk lnkdl.com site90.com yallarab.com elitetorrent.to mangabull.com smiling-dream.info zapto.org epdrama.com mangaspoon.com smoz.ru zippyon.org erwap.com mangatrend.com softarchi.com etproxy.com manydl.net sogou.com

#FollowTheProfit DIGITAL BAIT 33 REFERENCES

1 “Markets for Cybercrime Tools and Stolen Data”, Rand National Security Research Division, 2014. 2 “16.6 Million People Experienced Identity Theft In 2012”. Bureau of Justice. (2012).

3 “Online Exposure” Consumer Reports June, 2011. 4 “Internet Security Threat Report” Symantec April 2015. 5 “Criminals Continue to Defraud and Extort Funds from Victims Using Cryptowall Ransomware Schemes” Federal Bureau of Investigation June 2015. 6 “Russian Underground Revisited” Trend Micro 2014. 7 “What is an untrustworthy supply chain costing the US digital advertising industry?” Interactive Advertising Bureau (IAB) and EY November 2015.

8 “2015 Ad Blocking Report” Adobe and PageFair August 10, 2015. 9 “Ad Blocking is Every Publisher’s Problem Now” Digiday April 8. 2015. 10 “How Much Does a Botnet Cost?” ThreatPost February 28, 2013. 11 “Nine bad botnets and the damage they did” We Live Security February 25, 2015. 12 “Five Alternatives to BitCoin” We Live Security March 5, 2015. 13 “The Economic Impact Of Cybercrime And Cyber Espionage” McAfee July 2013. 14 “Updated: List of Dark Net Markets (Tor & I2P)” DeepDotWeb October 28, 2013. 15 “Updated: List of Dark Net Markets (Tor & I2P)” DeepDotWeb October 28, 2013. 16 “Internet Organised Crime Assessment Report (IOCTA)” Europol September 29, 2014. 17 Goodman, Marc. Future Crimes: Everything Is Connected, Everyone Is Vulnerable, and What We Can Do About It DoubleDay, February 24, 2015.

18 Goodman, Marc. Future Crimes: Everything Is Connected, Everyone Is Vulnerable, and What We Can Do About It DoubleDay, February 24, 2015.

19 “Russian Underground Revisited” Trend Micro 2014. 20 “Markets for Cybercrime Tools and Stolen Data”, Rand National Security Research Division, 2014.

21 “How Much Does a Botnet Cost?” ThreatPost February 28, 2013. 22 “Internet Security Threat Report” Symantec April 2015.

#FollowTheProfit DIGITAL BAIT 34 @4saferinternet

@RiskIQ

#FollowTheProfit