The conventional wisdom about there being no such thing as a free lunch appears to be especially true for those visiting websites offering "free" (read: pirated) movies, TV shows, and other entertainment content.
A joint investigation by the consumer-oriented Digital Citizens Alliance, piracy and brand protection firm White Bullet, and security firm 221B found that most pirate sites generate a substantial portion of their revenues from serving malware-infused ads on the systems of users who visit them.
Many of the advertisers use fear tactics — of a malware infection, for instance — or messages conveying the need for a user to update their antivirus or other software, to try and deceive users into clicking on a malicious ad. The ads are often served as pop-ups or in so-called pop-under fashion behind a browser window. Users who click on the advertisements can often end up downloading ransomware, spyware for tracking their activities, and malware for stealing banking credentials or for bookmarking their compromised system for a future attack.
Not Just a Consumer-Oriented Threat
The threat might appear primarily consumer-oriented on the surface, but in an era in which many employees are working from home — often using unmanaged devices and poorly secured networks — what happens on a consumer device can easily spill over into enterprise environments as well.
"The report's findings show that deceptive ads on piracy sites are driving the spread of malware, including ransomware attacks," says Tom Galvin, executive director of Digital Citizens Alliance. That should be a matter of concern to enterprises that have workers splitting their time between an office and home, he notes.
For such workers, the division between when they are working or playing is increasingly blurred, Galvin says.
"Given that the ads on piracy websites condition visitors to change their device settings to get access to what they want, that poses risks to enterprises," he says. "Workers visiting a piracy website could end up with their device breached, exposing the company to ransomware attacks or risk exposure to confidential information."
The collaborative investigation by Digital Citizens Alliance, White Bullet, and 221B showed that on average, 12% of the ads on websites serving pirated entertainment are malicious ads that generate a minimum of $121 million annually in revenues for the site operator.
More than half of those revenues, or some $68 million, come from malicious advertisements served to US-based visitors to these sites. The research showed that the top websites that offer pirated and stolen content are raking in $1.08 billion in annual ad revenues.
Pirating & Malware: A Willing Alliance
In many instances, the researchers found ad intermediaries actively facilitating ad placement on pirated sites even though they knew the advertisements were weaponized with different kinds of malware.
The new investigation showed that sites offering pirated content can sometimes profit from legitimate ads on their sites, but instances of ads for reputable companies landing on pirate sites are decreasing because of initiatives that the ad industry has launched in recent years.
One of the most significant efforts to reduce revenues from legitimate ads for pirate site owners is being spearheaded by a group called the Trustworthy Accountability Group, according to the joint report: "As those efforts have succeeded in reducing revenue from legitimate advertisers, pirate operators appear to be increasingly turning to malvertising facilitated by the bottom feeders of the advertising ecosystem," the report noted.
Pop-under ads, through which malicious activity is hidden under content that a user might expect to see, are particularly lucrative for piracy site operators. These ads accounted for $88 million of the average $121 million in revenues the site operators generate. Click-to-play ads, where users are tricked into clicking on something to stream content, is another favorite tactic and accounts for $21 millions in revenues.
Cyber-Risks With the New Normal
The new normal of people working from home has created a target-rich environment for criminals seeking to breach computers, Galvin says. "They may be a consumer one minute and working on behalf of their organization the next," he says. Piracy and specifically many of malicious ads that appear on the sites are crafted to trick users to taking steps that lead to their devices being infected.
"Once that happens, it doesn't matter. Whatever information is on that device is the target of these illicit actors," he warns. "This should be a concern for corporations, nonprofit organizations, and governments that face the growing threat of cyberattack."