Skip to content
Google profits from YouTube RAT infestation, says consumer group
Naked Security Naked Security

Google profits from YouTube RAT infestation, says consumer group

YouTube has thousands of videos on stealing images and spreading malware, along with examples of stolen streams from "slave" devices.

Google profits from YouTube RAT infestation, says consumer groupYouTube has thousands of videos that offer tutorials on how to use remote access Trojans (RATs) and how to spread them to other devices, as well as examples of RATs that have been used to take over “slave” webcams that display victims’ faces and IP addresses, an online consumer protection group says.

It’s well known that there’s a thriving black market for access to computers whose webcams have been compromised: in 2013, access to feeds coming from female victims cost as little as $1, and access to males cost $1 per 100 victims. These hackers are known as ‘ratters’.

But besides selling the stolen content, running next to those RAT-related YouTube videos are ads that line the pockets of the ratter and YouTube owner Google.

The Digital Citizens Alliance (DCA) released a report at the Black Hat conference last week that describes the unsavory business of intruders who not only peek into bedrooms via trojanized devices’ webcams, stealing images, video or personal data and using them to sextort victims, but who also profit-share with Google through advertising.

What is a RAT?

The tools in question, RATs, are a type of malware that gives an intruder administrative control over a targeted computer.

They install invisibly, spread via email attachment or by tricking victims into visiting a booby-trapped site.

Once successfully installed, RATs can:

  • Download, upload, and delete your files (potentially even clearing a hard drive completely);
  • Steal passwords, credit card numbers, emails, and files;
  • Watch you type and log your keystrokes;
  • Watch your webcam and save videos;
  • Listen in on your microphone and save audio files; and
  • Use your computer for a distributed denial of service (DDoS) attack.

An infamous RAT attack

The attention paid to the crimes of sextortion, webcam hijacking and RAT attacks has spiked in the wake of one particularly infamous case: that of Miss Teen USA Cassidy Wolf, who was sextorted in 2013, her webcam having been commandeered and images stolen by a guy who turned out to be one of her high-school classmates.

When the FBI searched Jared James Abrahams’ computers, agents found evidence of keylogging and messages relating to the use of two remote-access tools (RATs) or Trojans – Blackshades and Darkcomet.

Analysis also turned up forum messages from Abrahams asking about using a fully undetectable (FUD) keylogger.

As well, Abrahams had asked for advice on getting victims to download the malware, given that he “[sucked] at social engineering.”

After taking over his victims’ email accounts, their social media accounts, and their webcams, he was able to steal nude photos.

Abrahams used those photos to extort his victims, threatening to publicly post still images or videos to the victims’ social media accounts unless they either sent more nude photos or videos or engaged in a Skype session with him and did what he said for five minutes.

Abrahams was sentenced to 18 months in jail.

“Victims should not be clickbait”

The DCA has called on YouTube to stop monetizing videos that promote the use and dissemination of RATs, saying in a release that there’s “no reason” why major brands should be running adverts alongside these videos:

No company - especially one as big as Google - should make even a penny from videos that show the faces of victims and IP addresses.

The BBC reports that Adam Benson, deputy director of the DCA, said that the trade in stolen webcam footage was “troubling” and called on Google to stop relying on computer-based methods to find and remove the videos.

After all, Benson pointed out, Google has deployed teams of real, live humans to hunt down offending clips and handle complaints about other videos that show shocking or illegal images, so why not bring the same level of attention and resources to ratters?

From the group’s statement:

When Google is serious about solving a problem, it assigns a human team to do what an algorithm clearly can’t. Bringing in human teams helped block tens of thousands of search queries for child pornography and to ensure the quality of apps on Google Play. Hacking victims deserve the same concern and protection. Google should assign a human team to reviewing these videos and immediately cease advertising on such video platforms. These victims should not be clickbait and ad revenues from slaving tutorial videos can’t be worth the pain and suffering they cause.

The BBC quoted from a response sent by Google in which it pointed to its policy on YouTube content:

YouTube has clear policies that outline what content is acceptable to post and we remove videos violating these policies when flagged by our users.

Fine, Benson said. Now do the same with the hundreds of clips that often frighten, humiliate and terrorize victims.

If a ratter’s videos are approved by the YouTube Partner Program – as were those the DCA found in its investigation – then that content starts to be monetized.

In a survey of 200 RAT videos, the DCA found that about 38% of the tutorials had advertisements running alongside the videos, and hence were pulling in profits for the crooks who posted them.

I agree with the DCA: none of this activity should be tolerated in any way anywhere online, not least incentivized through advertising programs.

The company has the resources to go after child abuse traffickers, just as it goes after child abuse image traffickers. As Benson said, it can surely spare a dedicated team of humans to track down those who use YouTube as a market to peddle their so-called “slaves”.

While we wait for Google to respond to this issue, here are some tips to fend off a RAT attack:

How to protect yourself from RATs

  1. Keep your antivirus and firewall protection up to date.
  2. Patch applications in a timely fashion.
  3. Be wary of email and social networking messages from strangers, and refrain from clicking on attachments or links in any such messages.
  4. Use a strong, unique password for every online service you use. Here’s a 2-minute tutorial on how to do it.
  5. Don’t take your webcam into intimate places, even if an error message tells you your computer needs hot steam to clean its sensor (true story!).
  6. When not in use, cover your webcam lens (a piece of tape, or bandages work well) or point it at the wall.
  7. Think twice before stripping for a conversation – remember, whomever you’re talking to can record and share the video.
  8. If you ever get contacted by somebody who threatens to publish your images and shame you, report it immediately to a parent, a trusted adult, or to law enforcement.
  9. Don’t give in to the ratters. Giving them what they want, be it more images or an online performance, will only make things worse. Abrahams is a case in point: he told victims he’d delete nude photos if his victims gave him what he wanted, but it was a lie. He admitted to doing nothing of the kind even when his victims did what he demanded.
  10. Here are 10 tips from Safer Internet Day to that can help us all – kids, teens and adults – to think before we do something risky online.

Image of YouTube courtesy of Gil C / .


They have videos of people demonstrating usage of guns, too. Seems like a specious argument here by the DCA. As a security guy, I actually like those tutorials, without any of the effort to install and play with the tools myself.

Also, seems like a slippery slope for deciding what videos people can have on YouTube or not. What if I have a tutorial for using VNC in my company? What if Sophos shows a video demonstrating the usage of a RAT for example purposes? Does intention mean anything?

And always, when in doubt, bring in child abuse, the age-old fallacy of an emotional plea in an argument.



Very important to understand the non profit group behind this story. Not a clean source for this story. Is YouTube really the only place the information is available? “The group behind a study blaming Google’s YouTube for helping Peeping Tom hackers failed to mention its connections to the film industry lobby, one of Google’s biggest antagonists.”


Google & You tube use phishing and profiling attacks, when user search or click a link data sent to big guns and shot down small bullets in name of advertisement to users. Doubleclick has been linked to countless pieces of spyware and as of yet takes no responsibility (either socially or ethically) against it.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!