SAN FRANCISCO — Hackers are uploading videos to YouTube showing people how to break into computers remotely — making money not only from selling hacking tools but also from Google Ads that run alongside the videos, according to a report published Wednesday by Digital Citizens Alliance, a Washington, DC-based NGO.
"Everything we found in the report we found in the clear, open web," Adam Benson, Deputy Executive Director of Digital Citizens Alliance, told BuzzFeed News. "These aren't some dark, hard to find forums teaching people how to invade your privacy. These are things that are now out in the open with Youtube. They are mainstream."
YouTube, which is owned by Google, also makes a profit from these tutorials — despite their illegal content. The report found that "roughly 38 percent of the video tutorials for the best-known RATs had advertisements running alongside the videos." Google gets most of the revenue from the ads, with a portion going to whoever posts the videos, based on views. As the process of remotely hijacking a computer becomes easier (and cheaper) to carry out, it has risen in popularity, according to the report.
YouTube accounts with names like Sausarge and TheBroBro have uploaded dozens of videos, contributing to the thousands of tutorials the report says are uploaded annually to guide anyone willing to listen on how to hijack a computer. While some feature just a run-through of the methods, most include a few seconds sample of footage they have recorded off a webcam — often a shot of young girl in her pajamas, or a teen playing with her hair while staring into her webcam. The hackers who do this use a remote administration tool (RAT) and are called "ratters." The method is so simple that a 7-minute YouTube video can teach anyone with the most basic computer skills how to purchase and use the software, the Digital Citizens Alliance said. It's also getting cheaper for would-be attackers, as the hackers make money on selling the tools and by running Google Ads on the YouTube videos, the report found, citing dozens of videos that it examined.
Just one video published six weeks ago has nearly 13,000 views already. It shows real footage from an unsuspecting family watching TV in their living room when a shrill version of the song "Tip Toe Through the Tulips" begins to play. The teenage daughter walks around the living room trying to find the source of the music, testing computers and phones. She grows increasingly panicked and begins yelling, "Mom, I think that camera is picking up creepy stuff. I think somebody hacked that camera!" From the computer, where a webcam has been turned on to watch and record the entire scene, a voice cackles.
The user who uploaded the video has dozens with similar titles, all including the phrase "cam trolling" and showing variations of people filmed without their consent. In the comments section, YouTube users complement the videos on their ability to scare or confuse people, and share tips and advice on how to hack into webcams.
While some sites like PirateBay or HackerForum offer free downloads of the RATs, updated or advanced versions can be found online for a mere $10-$50. According to the report, in 2013 similar RATs could cost as much as $250.
The ads running alongside the posts ranged from Acura and American Express to the Wall Street Journal and ESPN. Those companies pay YouTube's parent company Google for the adspace, when a video poster signs up for the YouTube Partner Program, they get a cut of whatever ad revenue is generated by video views in exchange for allowing the ads.
The YouTube Partner Program's guidelines state that each video must be "approved for monetization" and so, the report concludes, "someone, or something, 'approved' the videos running with Partner Program advertising. Who, or what, would approve advertising next to videos that humiliate children? YouTube hasn't answered questions about how ads could run next to videos sympathetic to ISIS, even with many advertisers wondering how that could happen."
Matt McLernon, a YouTube spokesman, told BuzzFeed News in an email: "YouTube has clear policies that outline what content is acceptable to post, and we remove videos violating these policies when flagged by our users."
Hemanshu Nigam, a former federal prosecutor against online crimes, and current CEO of SSP Blue, an internet security consultancy group, likened the practice to what police used to call "peeping Toms." Would-be attackers, he said, begin by going to YouTube to watch the films uploaded through compromised webcams. Then they find out how easy it is to hack into computers and take over webcams, mess with URLs, and play psychological games with the victims they have compromised.
"There is access to the child's home without ever going to the child's home," Nigam told BuzzFeed News. "There is a merging of a person who may be wanting to do something illegal in the physical world. but now they say ok, maybe i can do it in the online world. And the hacking community is making it really easy to do that."
Nigam, who still consults law enforcement officials on online crimes, said women were being increasingly targeted. "The number of women and teenage girls who are targets is going up," he said Nigam. "These guys go after women. They film them and then present them with the option of doing what the hacker says or being exposed to the world in a way which might be embarrassing. It is hard to come forward and report these crimes."
The Digital Citizens Alliance report found that a woman's compromised computer is, on average, worth more than a man's, with hackers selling access to the devices of women for $5, while access to a man's computer sold for $1.
Cassidy Wolf was Miss Teen California 2013 when she received an email containing two photographs of her naked in her own bedroom. The email threatened to make the photos public if she didn't send higher-quality photos.
"Your dream of being a model will be transformed into a porn star," the email said.
The photos were taken by her laptop's web camera, which had been hijacked by Jared James Abrahams, a former high school classmate of Wolf's.
Wolf went to police in April 2013, and six months later they arrested Abrahams. He was tried and sentenced in November 2014 to 18 months in prison for hacking into the webcams of dozens of young women, including Wolf.
Today, Wolf speaks out about how difficult it was to come forward, and regularly replies to emails and Facebook messages from teens facing similar extortion attempts after their computers and webcams were compromised.
"I've heard similar stories ever since my story became public," Wolf told BuzzFeed News by phone. "I think that crimes, physical or digital should be treated the same. Technology is constantly evolving and now it is allowing these peeping Tom's into your homes without them ever actually stepping foot there."
Wolf said she was disappointed that Google was not doing more to monitor for the type of content that would allows others to carry out the same sort of crimes she faced.
"Google should be trying to get ahead of the game, this is only going to get worse" said Wolf. "I've thought about starting a YouTube channel… but I didn't know these types of videos were part of their community. I just hope that one day if I start a YouTube channel I won't have to worry about people selling this stuff on my page."
Sheera Frenkel is a cybersecurity correspondent for BuzzFeed News based in San Francisco. She has reported from Israel, Egypt, Jordan and across the Middle East. Her secure PGP fingerprint is 4A53 A35C 06BE 5339 E9B6 D54E 73A6 0F6A E252 A50F
Got a confidential tip? Submit it here.