Hackers have become an inescapable part of the Hollywood narrative, on and off the screen. HBO is reeling from the worst data breach since the North Koreans hacked Sony Pictures, with the culprits demanding heavy ransom payments after putting scripts and executive emails online each day. The plot of the hot movie/TV series property, the Bill Clinton-James Patterson novel The President Is Missing that has several studios vying for movie rights, and networks like CBS looking to make a limited series is about a hacker whose cyber terrorism hobbles America and forces the president into deciding whether to kill someone to end the attack. And tomorrow marks the debut of the Audience Network’s adaptation of Stephen King’s Mr. Mercedes, in which the serial killer is, you guessed it, a creepy nerd hacker.
Here’s a new wrinkle that that sounds like potboiler fiction: what if hackers releasing programming, scripts and emails from the likes of Sony, HBO and Netflix are planting malware in the computers of visitors to host sites for the purpose of starting a new chain of extortion and theft?
That is exactly what is happening with growing regularity to people who access pirate sites which are forging unholy alliances with pirate sites, says Hemanshu Nigam. Nigam is the Los Angeles based former federal prosecutor against Online Crimes and ex-Chief Security Officer for News Corp and Fox Interactive Media, and VP Worldwide Internet Enforcement under Jack Valenti’s MPAA. He has been a go-to guy for Deadline on hacking subjects. He was helpful in schooling Sony employees in how to protect themselves from identity theft when Social Security and other information was leaked online, and when Netflix found shows like Orange Is The New Black were hacked, he identified vendors early on as the likely weak link with insufficient safeguards to protect programming.
Hemanshu has most recently been acting as strategic adviser to Digital Citizens Alliance, which is behind an awareness campaign to educate the public bout the dangers of visiting rogue sites and downloading stolen movies and TV programs. An awareness campaign so far includes 28 state attorney generals who’ve done PSA ads about the dangers of accessing pirate sites. The ads were made by Oscar nominated documentary filmmaker Leelai Demoz. This after a study that demonstrated that if you want to contract a virus, piracy sites are just about as reliable as brothels.
“The industry narrative has changed,” Hemanshu said. “When I was at the MPAA, we would tell people that stealing content is wrong and young people would say, yeah, whatever, you guys make a lot of money, too bad,” Hemanshu said. He said that ethically and legally it is still wrong and always will be, but it has now become dangerous to the consumer. “It has gone from an ethical discussion to a dangerous one. Now, your parents’ bank account can be raided, your teenage daughter can be spied on in her bedroom and extorted with the footage, or your computer can be locked up along with everything in it and held for ransom.”
Now, this does sound a bit like a version of Reefer Madness — the over-the-top to the point of absurdity movie made to show the dangers of pot smoking — transplanted to services that steal and make available copyrighted movies. Only Nigam said that here, the danger is all too real and backed up by research. He acknowledged that computer security systems catch and eliminate some malware. But it is not close to a certainty, especially if computers have inferior safeguards or users don’t keep current on updates. That leaves many susceptible to disturbing scenarios.
“Hackers reached out to pirate websites and said, ‘here is a piece of malware, and I will pay you a fee, anywhere from $200 to $5000 per day, depending on the size of the pirate website, for each time viral infection happens,” he said. “That infection can happen if you download a piece of content from a pirate site, or even by simply visiting the site. They call this ‘drive-by downloads,’ where malware is invisibly downloaded to a user’s computer without requiring them to click on a link. All they had to do was search Google and clicked something like ‘Planet of the Apes Movie Free.’ Once that malware is in the system, hackers can get into your financial data through a keystroke log that keeps a record of everything you do. They can lock your computer and everything in it and demand payment. Or worst of all, they do what is called ‘slaving’ your computer. They turn on your webcam. There are people out there who will pay to watch a teen girl in her room. There are lots of things that can happen, none of them good.”
Nigam said his alarm is based on the research compiled by RiskIQ, which compiled data on pirate, porn and gambling sites to gauge the level of malware infestation, and also infiltrated the dark world of hackers to unearth malware schemes. According to RiskIQ there is a 30%-40% chance that a visitor to a pirate site will come away with a dose of malware. He said hackers and pirate sites track the infection rate, and hackers pay pirate sites for successful transmissions through untraceable bitcoins. The study estimates that 12 million U.S users exposed each month, often just from visiting sites. It is a lucrative sideline for the pirates: they earn 10-20 cents per install, and Nigam said the study showed that $70 million in payouts to pirate sites have been made since 2012, and that 150 million malware installs have been executed since that time.
“We hired a research company, hit all these websites and tracked the results,” he said. “We went into the dark net and spoke to a hacker who laid out exactly how it is done. This has become a $70 million business, with pirate websites creating another line of revenue for themselves.”
The most chilling element is the “slaving” ploy, which is to trigger a computer’s webcam and use the contents against those being spied upon. He said there are examples where young women have been subjected to sex-tortion, with hackers threatening to disseminate footage from a computer webcam that has been recording kids in their bedrooms who were completely unaware their privacy was being violated.
“The hackers send notes through the laptop that say, ‘I have been recording you,’ and if you don’t do whatever they ask, they’ll send the footage to your entire Facebook friend list, which of course they have full access to,” Nigam said. Demands range from extortion payments, to what Nigam termed “digital rape,” with teenage girls being coerced into degrading themselves in private Skype sessions.
He cited the 2014 plea agreement of a 20-year old baby-faced computer wiz who hacked into the webcams of 150 computers. Numerous young women, including a Miss Teen USA winner, were blackmailed, and the man got several teens to capitulate to his creepy extortion scheme by exposing themselves to him. He claimed he would not record those sessions but authorities found he did. The man was sentenced to 18 months in jail. Nigam said that case was exceptional, because most hackers cover their tracks well enough and don’t get caught.
Nigam said the PSAs will broaden from online to run on local TV and radio. “It is much safer right now to go on an adult entertainment porn site or a gaming site than a pirate site, believe it or not,” Nigam said. “This is no longer about, don’t download a movie because it’s wrong. Now, you are putting your family at risk, and kids are being victimized and it is serious enough that these state attorney generals want to reach their constituents and warn them of these dangers.”
As for the HBO case, Nigam isn’t involved in the effort to sleuth how badly the hack of the pay network will get, but he had a theory, based on the variety of breaches that have been dispersed to the web, from programming to scripts and emails.
“It tells me that HBO might have a common problem, which is their security network might be set up in a way that, once you get in the door, you can move around the house in any room you like,” he said. “Often, the effort is to devote security to keep people from getting in, but once you get in, it can be like breaking into your house, and hitting every room. More attention should be paid toward segmenting access, even if someone gets in. Think of it like a hotel. If you get into the lobby, you need a key or you can’t get into specific rooms, or even the gym. Networks should be set up with that in mind, creating security barriers even if you make it into the lobby. This is the direction everyone should be moving in, and I wish they were,” he said.