Investigation: Pirate sites pose malware risk
September 16, 2022
By Colin Mann
Visitors to piracy sites are bombarded with malicious ads that use scare tactics to trick them into downloading malware, including ransomware that takes over files to force victims to pay to regain access, a joint investigation by the Digital Citizens Alliance, White Bullet, and Unit 221B has found. The investigation also found that these malicious ads, called malvertising, are often enabled by ad intermediary companies that promote scare tactics and other dubious means to trick or entice users to click on dangerous ads.
The Unholy Triangle report highlights how piracy operators, malvertisers, and ad intermediaries profit off Internet users lured to suspect sites by the prospect of free content. The starkest example of the cyber threat was a ransomware attack that occurred while visiting a piracy site. Investigators were prompted to click on an ad – but instead found their files locked up, followed by a demand to make a payment to regain access: “All your files like pictures, databases, documents, and other important [sic]are encrypted with [sic]strongest encryption and unique key….Please note that you will never restore your data without payment.”
“Ransomware is the most serious cyber threat that consumers, small businesses, governments, and corporations face,” warns Tom Galvin, executive director of the Digital Citizens Alliance, a US coalition focused on educating the public and policymakers on the threats that consumers face on the Internet. “The revelations that piracy operators, malvertisers, and ad intermediaries are profiting by harming Internet users is a wake-up call that we need a concerted and coordinated response to combat this growing threat.”
Previous Digital Citizens Alliance research estimates piracy is a $2 billion-plus ecosystem fuelled by illicit access to movies, TV shows, and live entertainment. While investigations have previously shown how piracy is used to infect devices, the Unholy Alliance report is the first to detail the relationship between piracy operators, malvertisers, and certain players in the ad intermediary ecosystem.
Digital Citizens, piracy advertising expert White Bullet, and cybersecurity firm Unit 221B undertook a months-long investigation that analysed thousands of piracy sites, including well-known platforms such as Fmovies[.]to, Myflixer[.]to, and Dramacool9[.]co. The groups then conducted an in-depth analysis of advertising and threats on the most-visited piracy sites or those that had the most malvertising.
The investigation, conducted over the last several months, found:
- Piracy operators generate an estimated at least $121 million in revenues by allowing malvertisers to victimise their users. Beyond ransomware, investigators found malicious ads containing malware that seek access to a user’s device to steal banking information, download spyware to track a user’s activities, or flag the device for a future attack.
- Malvertising generates enormous revenue for piracy operators. Malvertising accounted for 12 per cent of the total ads on piracy sites. More than half of the $121 million generated ($68.3 million) came from US visits to these sites – suggesting that US Internet users are especially at risk.
- Malvertising is widespread on piracy sites. Nearly 80 per cent of pirate sites served up malware-ridden ads to their users. And the volume of malvertising targeting pirate-site users is significant. Visitors to piracy sites faced an estimated 321 million ads designed to harm them.
- Instead of prohibiting harmful content, some ad intermediaries are willing to facilitate campaigns involving blatantly misleading ads, such as a false claim that the user has a computer virus, or coach illicit actors on effective tactics to frighten or otherwise entice users to click on ads.
In one example, investigators approached ad intermediary RichAds to see if it would approve a proposed ad clearly designed to deceive users. RichAds approved it even though the ad falsely warned users that their device had a virus to trick them into downloading ‘a security tool’ that is malware.
- While not every visit to a piracy site results in malware, the investigation found that – on average – one in six times a visit to a piracy site leads to an attempt to serve malware.
- As a follow-up to the report, a Digital Citizens survey found that Americans who visit piracy sites are two to three times more likely to report an issue with malware than those who say they haven’t visited these sites.
“This report confirms what content owners have suspected for years – that using piracy services is likely to harm consumers through malware infection,” notes Peter Szyszko, CEO and founder of White Bullet. “We collect vast amounts of advertising data on piracy services and track its value. Clearly it is not just brands who are to blame for funding piracy through ad placement; ad tech companies need to be vigilant about where they place ads and the type of ads they accept. Piracy services seek to make as much money as possible – whether from legitimate but misplaced ads or from malicious actors. The ad industry needs to stop funding piracy, or, as we can now see, content owners and consumers all suffer.”
“The level of deception on pirate movie sites is alarming,” declares Shaun Gallagher, Chief Technology Officer at Unit 221B. “Threat actors with ties to Russia are using these sites to prey on American consumers. These malware pushers grab every ounce of profit they can with no regard for the damage they cause. A couple innocent clicks could lead to a severe violation of privacy and cost hundreds of dollars, as consumers are bombarded with malicious ads containing ransomware and adware.”