Threat Management, Security Strategy, Plan, Budget

Cybercriminals reporting competitors to Google to spread their own malware

In a move as sneaky as a criminal calling the cops on rival gangs, malware authors have been impersonating Ubisoft, Steam and other large game companies to serve Google DMCA 1201 notices to irreversibly takedown their competitors.

The cybergangs are claiming pirate games sites are using digital rights management (DRM) breaking tools which allow them to circumvent technologies designed for restricting the use of proprietary hardware and copyrighted works.

Normally when Google gets a copyrights complaint it will delist the site but still allow the site’s owner to contest the removal through a process defined in Section 512 of the DMCA, but when Google receives complaints about the DRM-breaking tools they remove the accused site and offer no appeal process.

The malware authors have been impersonating the gaming companies and sending the notices to Google to target pirate sites that distribute cracked versions of games and once the sites are offline, their own sites rise in Google’s search rankings, advertising the same cracked games that are instead laced with malware.

“I have been investigating those persons for a long time, and I can tell with proof that they are behind a massive spam attack spreading their miners,” an anonymous source who owned one of the sights that were taken down told TorrentFreak. “They are taking advantage of the lack of games cracks lately, creating websites claiming they provide cracked games, but all the links on these sites lead to cryptocurrencies miners.”

Google has taken notice of the activity and has started actively flagging several of the notices which supposedly came from Steam and Ubisoft.

“We believe that an impostor or someone else abusing the process submitted this request,” a notice in Google’s transparency report said. “We report it here for the sake of completeness and to provide a view into one kind of abuse of the DMCA process.”

Google has reinstated some of the links that were removed by the impostors and researchers suspect there are more people or groups initiating fraudulent takedowns with varying motives.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.