By Evan Perez, Shimon Prokupecz and Tom Cohen
It is nicknamed “creepware,” and more than half a million people around the world have been prey to its silent computer snooping.
Miss Teen USA Cassidy Wolf was one of them in a well-publicized case of hacking associated with the malware called Blackshades.
Now, an international crackdown by the FBI and police in 19 countries has brought more than 90 arrests in what authorities say is a serious strike against a widespread and growing problem.
U.S. Attorney Preet Bharara in New York told reporters the global investigation “exposed and crippled a frightening form of cybercrime that has affected hundreds of thousands of users around the world.”
The sweep, capping a two-year operation, was coordinated so suspects didn’t have time to destroy evidence. It included the arrest of a Swedish hacker who was a co-creator of Blackshades, Alex Yucel, who was apprehended in Moldova.
In total, one of the largest global cybercrime crackdowns has yielded the arrests of more than 90 people linked to the Blackshades malware, with more than 300 searches conducted, Bharara said.
Others arrested included Michael Hogue, who was nabbed in Arizona in 2012, pleaded guilty last year and now was cooperating with federal authorities, according to Bharara.
Two arrests in New York picked up Kyle Fedorek and Marlen Rappa, who both were charged with conspiracy to commit computer hacking and computer hacking, said documents posted on the website of Bharara’s office. Fedorek also faces a charge of access device fraud, his charging document said.
The malware, which sells for as little as $40, can be used to hijack computers remotely and turn on computer webcams, access hard drives and capture keystrokes to steal passwords — without the victim ever knowing it.
According to Bharara and the FBI, criminals have used Blackshades for everything from extortion to bank fraud, and it has become one of the world’s most popular remote administration tools, or RATs, used for cybercrime in just a few years.
“The RAT is inexpensive and simple to use, but its capabilities are sophisticated and its invasiveness breathtaking,” Bharara said. “For just $40, the BlackShades RAT enabled anyone anywhere in the world to instantly become a dangerous cybercriminal, able to steal your property and invade your privacy.”
To prove his point, the FBI released screen grabs showing how the malware works, including an ungrammatical message that would pop up on the computer screens of victims that said: “Your computer has basically been hijacked, and your private files stored on your computer has now been encrypted, which means they are impossible to access, and can only be decryped/restored by us.”
Leo Taddeo, chief of the FBI’s cybercrime investigations in New York, said the unprecedented coordination with so many police agencies came about because of concern about the fast growth of cybercrime businesses.
“These cybercriminals have paid employees, they have feedback from customers — other cybercriminals — to continually update and improve their product,” Taddeo said recently. While he spoke, agents took calls from counterparts working the case in more than 40 U.S. cities.
Blackshades had grown rapidly because it was marketed as off-the-shelf, easy-to-use software, much like legitimate consumer tax preparation software.
“It’s very sophisticated software in that it is not very easy to detect,” Taddeo said. “It can be installed by somebody with very little skills.”
Miss Teen USA spied on at home
For victims whose personal computers were turned into weapons against them, the arrests bring reassurance.
Wolf, the reigning Miss Teen USA, received an ominous e-mail message in March 2013.
The e-mail, from an unidentified sender, included nude photos of her, obviously taken in her bedroom from her laptop. “Either you do one of the things listed below or I upload these pics and a lot more … on all your accounts for everybody to see and your dream of being a model will be transformed into a porn star,” the e-mail said.
And so began what Wolf describes as three months of torture.
The e-mail sender demanded better-quality photos and video, and a five-minute sex show via Skype, according to FBI documents filed in court. He told her she must respond to his e-mails immediately — software he had installed told him when she opened his messages.
“It was traumatizing,” Wolf told CNN’s “Anderson Cooper 360.” “It’s your bedroom. That’s your most private, intimate space and that’s where you should feel the most safe.”
She now has a new laptop and covers the webcam with a sticker.
A former classmate she knew, Jared Abrahams, had installed Blackshades malware on Wolf’s laptop. In March, the 20-year-old computer science student was sentenced to 18 months in prison after pleading guilty to extortion and unauthorized access of a computer.
Abrahams had been watching her from her laptop camera for a year, Wolf later learned. The laptop always sat open in her bedroom, as she played music or communicated with her friends.
According to FBI documents, Abrahams had used Blackshades to target victims from California to Maryland, and from Russia to Ireland. He used the handle “cutefuzzypuppy” to get tips on how to use malware and told the FBI he had controlled as many as 150 computers.
Hackers issued warnings
Computer hacker forums lit up last week as law enforcement officials around the world began knocking on doors, seizing computers and making arrests around the world.
On the popular websites where cybercriminals buy and sell software kits and help each other solve problems, hackers issued warnings about police visits to their homes.
The hackers quickly guessed that a major crackdown was under way on users of Blackshades.
In New York City, about two dozen FBI cybercrime investigators holed up in the bureau’s special operations center tracked the investigation.
Rows of computer screens flickered with updates from police in Germany, Denmark, Canada, the Netherlands and elsewhere. Investigators followed along in real time as hundreds of search warrants were executed and suspects were interviewed.
Six large computer monitors displayed key parts of the investigation. Agents kept an eye on one screen showing a popular website where Blackshades was sold. The FBI has taken down the site.
Another monitor showed a map of the world displaying the locations of the 700,000 estimated victims whose computers have been hijacked by criminals using the Blackshades software. Splotches of green on the map indicated concentrations of infected computers in highly populated parts of the United States, Europe, Asia and Australia.
Weak security, victims’ mistakes
Cybercriminals often rely on weak links in computer security and mistakes by victims to infect computers.
Many computer users don’t update anti-virus software. Many click on links sent in messages on social media sites such as Facebook or in e-mail without knowing what they’re clicking on. In seconds, malware is downloaded. Often, computer users have no idea infection has taken place.
Taddeo, the FBI cybercrime chief, said the most common way criminals have used Blackshades to target victims is by sending e-mails that seem legitimate, perhaps with a marketing offer, and with a link to click. “Anyone who signs on to the Internet is potentially a victim of this tool,” he said.
In Wolf’s case, she received a Facebook message related to teen pageants. When her computer was infected, it sent messages to other friends, whose computers also became infected.
The episode has made Wolf a campaigner to urge young people to be better educated about online safety. She said her passwords are now more complicated and unique for each account, and she changes them often. She uses updated security software.
“I really didn’t think that everything I worked for could be lost because of this,” she said. “This can happen to anybody.”