Education is one of the key battlegrounds in stopping video piracy and showing consumers how great the risks are from malware is a powerful tactic.
One of the most popular blog posts we have ever written is 6 Ways To Stop Digital Piracy. This looks at all the various means available to operators to stop consumers accessing their content illegally, and number two on the list is PR and education.
There are several different strands to this. Netflix, for one, has been making a lot of noise recently about the problem of password sharing; pointing out that it is actually illegal to share your password while trying to nudge people towards maintaining their own accounts rather than piggybacking off other family members et cetera. Meanwhile, efforts have been successfully made in many countries to persuade consumers that rather than being simply ‘something everyone does’, video piracy is not only a crime but something that has a knock-on effect on the entire industry. The argument is that less revenue means less content means less programming available from both legal and illegal providers. If everyone stops paying, then nothing ever gets made.
One of the most effective tools available to operators, however, has been highlighting the threat of malware for consumers of illegal content, and the fact that accessing it also provides a ready-made route into domestic homes for cybercriminals. And while there has often been a temptation to view this as primarily as an APAC problem, a new report from the AAPA (the Audiovisual Anti-Piracy Alliance) has emphasised just how high the cyber risk is to European consumers from malware.
A growing threat
Malware has been an increasing threat for a number of years now. The Covid pandemic resulted in a huge spike in malware activity as an increasing number of workers found themselves working from home using their own equipment, and IT departments found themselves unable to cope with a massively expanded attack surface. The video industry had to cope with its own increases in demand during Covid too, but the rising threat of malware here has been less about the overall numbers and more about the pivot from downloading illegal content to streaming it.
Downloading via bittorrent and other P2P networks had always required a certain amount of technical know-how. Often the people accessing content in this manner were quite well informed of the potential for malware and viruses to attack their computers and took appropriate actions. However, as video piracy has become "easier" via web browsers, so have the attacks made through them.
As the AAPA report puts it: "Every device connected to the internet that is involved in the audiovisual piracy value chain – including mobile phones, tablets, PCs, STBs, Smart TVs, and so on – is a potentially infectable endpoint.”
The UK’s FACT (Federation Against Copyright Theft) analysed 50 streaming sites and all 50 were found to have malicious content. Over 90% of sites were classified ‘risky’ by cybersecurity experts, while more than 40% had no security certificate. Users were “bombarded” with threats, which included banking trojans, crypto scams, and extreme or explicit pop-ups, while they also found that finding the content they wanted to watch was more difficult than ever as they were bounced around the web.
QoE is not one of the pirate’s strong points…
71 seconds to compromise
To measure the extent of the problem the researchers set up several simulated users on several different devices — a PC, a tablet and a STB — and pointed them at sites that were known to host illegal content. These fake users then replicated the behaviour you would expect from normal members of the public, registering, clicking on links, searching etc. The researchers then looked at what happened.
Unsurprisingly, PC users suffered the biggest range of attacks. Attacks ranged from pop-up windows to cost per click fraud malware, browser notification hijacking, browser extension installation, adware, full on malicious application installation, malicious banned ads, and more, as well as a significant amount of other intrusive but more mainstream revenue generation attempts.
That is not to say that mobile users got off lightly. Out of 33 IPTV apps tested on Android devices, 19 contained malware, making the chances of downloading a piracy-oriented IPTV app with a hidden malware cargo 57%. Meanwhile, no malware or even unwanted patterns of advertising (intrusive banners or interstitials) were observed on the Android TV STBs.
And all this happens swiftly, as a PC can be compromised in just over a minute; 71 seconds to be exact.
Here are the details of what happens during one session.
“During that time, [users] were presented with two popups – one, a Russian browser promising cash discounts for internet purchases, the other, selling CPC [cost per click] leads for Game of Thrones traffic – followed by their screen becoming locked, and providing an actual phone number to call Microsoft to unlock the PC due to the presence of cyber threats. The number was verified as not belonging to Microsoft – in fact, it was a scammer phone number, where the scammers tell the consumer that they need “technical support” during which a Remote Access Trojan is planted on the computer.”
The best defense against malware?
It’s a worrying story but an increasingly common one. One important aspect of the whole experiment is to illustrate that malware “is not just an APAC problem.” The compromise experiment above was built on the work of one mounted by AVIA which showed that in the APAC region the time to compromise was as little as 43 seconds. The difference between the two regions is therefore 28 seconds. Arguably consumers protected by an extensive legal and regulatory network in Europe could expect a longer grace period before they are attacked. The fact that they do not have one showcases how widespread and insidious the problem is.
The best defense against malware is, of course, not to visit the sites or download the apps in the first place. This is perhaps the key message to get across to customers and the one that is hardest hitting.
Everyone knows the dangers of cybercriminal activity, from simple fraud through ‘card not present’ transactions to ransomware and on to outright identity theft. Indeed, one in five Europeans experienced identity theft in the two years up to 2020.
And as an industry, helping to educate our customers to the dangers of clicking on the button that will take them to an illegal streaming site is a powerful argument to stop them wanting to do it in the first place.