Child sex abuse image peddlers dodge UK smut filters and demand Bitcoin payments
IWF spots worrying trend as digital currency is used for first time
Exclusive The implementation of network-level filters by all of the UK's biggest ISPs has contributed to a worrying side effect: it appears to be forcing peddlers of child sexual abuse images to seek different ways of distributing the illegal material. Apparently these increasingly include hacks into the websites of businesses whose security is lax by these criminals, who are starting to demand payment in Bitcoins.
That's the conclusion of the Internet Watch Foundation, a telco-backed organisation that – among other things – provides ISPs with a blocklist of child sexual abuse URLs of unlawful content that is hosted outside of the UK.
The IWF's technical researcher, Sarah Smith, told The Register that hackers, for the first time, were using Bitcoin as the only method for paedophiles to pay for highly illegal child sex abuse images found on the public web.
"We haven't encountered this previously, this is the first template we've seen using this as a payment mechanism," she said.
Last summer, the IWF said it had spotted an unsettling and growing trend among hackers who try to dodge the system to circulate sick images to paedophiles online by stashing the content on an innocent outfit's servers.
"The websites [being hacked into] largely seem to be small business websites, so we suspect that the security isn't particularly strong on these sites and that's enabling people to get access," Smith said.
She warned that more sites will be hacked in this way in the future and said that small businesses and voluntary organisations in the UK were particularly vulnerable to such attacks.
The IWF, which works closely with the UK's specialist Child Exploitation and Online Protection (CEOP) police unit, has copies of spam emails containing spoofed headers that appeared to have been the primary method used to circulate the URLs.
Smith told us that the use of Bitcoin as a payment mechanism used in exchange for sicko content online was particularly troubling because of jurisdiction issues that are amplified by a lack of financial regulation around the digital currency.
"Investigating the people who are following the money becomes that much more difficult when you're talking about crossing borders," she said. "It's like any payment mechanism; it's going to be abused by a minority of individuals."
The IWF has found 38 different domains that may have multiple redirectors to the newly uncovered child sexual abuse material template that exclusively demands Bitcoin payments. Smith added that, as of 26 February when she spoke with El Reg, there were 11 domains that had been assessed as containing the content itself.
It's understood that the redirector websites were hacked with a single .html webpage with what appeared to be an automatically generated name consisting of seven random characters. Worse still, it's unlikely that operators of the targeted sites are actually aware of what is going on.
Smith said that anything up to 25 per cent of the content the IWF sifts through was considered commercial because a payment mechanism was attached. Most paedophiles apparently use the web simply to trade illegal images with others, so no cash is involved.
In 2013 alone, the organisation - which now has 12 analysts on its books - dealt with more than 2,500 commercial URLs. But the use of Bitcoin by peddlers of child sexual abuse images only came to the IWF's attention in January.
"We group the distributors together by looking at the payment mechanisms that are being used or particular merchant accounts where the payment appears to be being funnelled to so that we can provide that information to law enforcement," said Smith.
Peddlers of such content tend to have a revenue stream linked to malware and other types of online criminality, the foundation's researcher added. But while methods such as PayPal have posed challenges, Smith said it was the case that conventional payment providers at least had safeguards in place to try to halt such transactions.
Not so with Bitcoin, however.
Filtering the filters
Meanwhile, the method of discreetly inserting child sexual abuse material into orphaned folders on hacked sites appears to openly ridicule Prime Minister David Cameron's crusade against the easy availability of perfectly legal adult content online.
Smith was careful to respond to our questioning about the contentious network-level filters that the four largest ISPs in the UK have implemented over the course of the last few years to prevent regulatory meddling. She said the IWF's remit was simply about preventing access to child sexual abuse images and had nothing to do with the debate about censoring content such as pornography.
But she did tell us:
I think that action to prevent access to certain sites will mean that people are going to look at different ways of distributing this content and, potentially, to be abusing the websites of legitimate businesses could be a way of defeating filters specifically in relation to child sexual abuse content.
As recently as last summer, redirectors were found by the IWF to have been inserted in a number of porn websites. But if access to such sites becomes that little bit more difficult because of ISP filters, then it's fair to surmise that evildoers will use other methods to distribute their illegal material.
Smith was keen to stress that it was only a "possible contributory factor", but it does appear to be the case that the filters have brought about a deeply undesirable side-effect that is hitting some small businesses in Blighty, who may have no idea that their websites have been tampered with in this way. ®
Sponsored: Global DDoS threat landscape report