Hacking Team's Spyware Targeted Porn Sites' Visitors

The company updated its software to target major porn sites in early 2015.

|
Jul 10 2015, 4:30pm

Image: ChrisO20/Shutterstock

Sometimes, to get infected with government spyware, all you need to do is to check out your favorite porn videos.

To infect their targets, customers of the controversial surveillance tech company Hacking Team, which recently suffered a major breach that exposed its most closely guarded secrets, had a variety of options available. They could use the old-fashioned phishing email containing a malicious attachment, as Ethiopia allegedly tried to do with a US-based journalist, but that required the target to click and open an attachment from a stranger, something that didn't always work.

Another trick, perhaps easier to pull off, was waiting for the target to browse a certain website and inject malicious code in it. And what better sites to use for this purpose than popular porn sites?

"I know it's hard for you, but try looking for some non-porn site and add those too :)"

In January of this year, Hacking Team's employee Andrea Di Pasquale announced in an email that he successfully added support for five new sites that could be used to infect targets, all of them porn sites, including the wildly popular Pornhub and Porn.com.

"I know it's hard for you, but try looking for some non-porn site and add those too :)," his colleague Fabio Busatto replied.

Di Pasquale's changes were part of the new "9.6" version of to Hacking Team's premiere product, its suite of internet surveillance tools known as Remote Control System (RCS), also known as Galileo.

In an email sent in February, Di Pasquale detailed all the new features he added to RCS' "Network Injector," a surveillance tool that consists of devices installed directly into an internet service provider's data centers. These machines, thanks to Hacking Team's code, allow the company's customers to intercept traffic from a target and replace it with whatever they want, according to Hacking Team's own leaked manuals.

The infection could happen in two ways, either the target sees a fake message asking him to upgrade Flash to see the video, and the target clicks on it, or the customer uses a Flash exploit prepared by Hacking Team, which avoids having to serve a fake update message. The company was reluctant to offer this second options to customers, because it did not want to reveal its exploits and make them unusable, or in other words, "burn" them, according to a source with knowledge of Hacking Team, who spoke on condition of anonymity.

Di Pasquale wrote that with his new "attack," customers could infect porn site visitors who used all major operating systems (Mac OSX, Windows and Linux") and browsers (Internet Explorer, Chrome Firefox, Safari and Opera.)

Before this update, Hacking Team's tools already allowed customers to exploit targets by hijacking their traffic to popular video sites such as YouTube or DailyMotion. YouTube, however, became a harder site to exploit after Morgan Marquis-Boire, a researcher and director of security at First Look Media, revealed that Hacking Team was exploiting the site's lack of HTTPS web encryption last year. His report prompted YouTube to migrate to HTTPS by default.

In fact, after that, a couple of Hacking Team customers complained that they couldn't infect targets visiting YouTube.

"We tested RCS [Network Injector Appliance]," wrote a customer from Uzbekistan on December 2014. "In html-flash in and [YouPorn] did not work, in other sites worked successfully."

"Unfortunately youtube might not work, because they started the migration to HTTPS."

Responding to another similar complaint at the end of last year, this one from the Czech police, Hacking Team employee Bruno Muschitiello said that "unfortunately youtube might not work, because they started the migration to HTTPS, for this reason sometimes it works and sometimes it doesn't."

In any case, Di Pasquale's update including support to Porn sites apparently pleased Hacking Team's CEO David Vincenzetti, who said Di Pasquale was "doing well," and asked the the company's CTO Marco Valleri if it was time to "reward" him.