The dirty secrets of webcam-hacking peeping toms and sextortionists

Virtually every computer sold today comes with a dirty little secret.

It can spy on you.

What’s more, if hackers can infect your computer with malware they can hijack your webcam and secretly watch you too – regardless of whether they’re based down the street or on the other side of the world.

In some cases, if they’re really crafty, hackers can even spy on you without the LED on your webcam lighting up.

Notable victims of webcam hacking include Cassidy Wolf, an American model who was crowned Miss Teen USA in 2013. In her case, Wolf was spied upon by one of her former classmates – Jared James Abrahams – who had installed the Blackshades RAT malware on her laptop in order to covertly take naked photographs of the beauty queen.

Abrahams sent Wolf an anonymous email, threatening to post the intimate photographs of her on social media websites, unless she agreed to send additional photos to him or (eww…) strip for him during a Skype video chat.

Here’s a video of Cassidy Wolf being interviewed about the hack on CNN last year:

Wolf did the right thing. She didn’t give in to the extortionist’s demands, she told her parents what was happening, and contacted the police so they could investigate.

Fortunately, Abrahams was caught, and received an 18 month prison sentence for his crimes against Wolf and other victims.

But it’s not an isolated problem. In May last year, the European Union’s Judicial Cooperation Unit, announced it had arrested almost 100 people worldwide, in an operation targeting the developers and users of Blackshades, a kit of malware tools sold online for just $40.

Amongst those arrested was Swedish hacker Alex Yücel, the co-creator of the Blackshades Remote Access Tool (RAT), which provides an easy way for perverts to remotely commandeer the webcams of unsuspecting parties and snoop upon their activities.

Yücel was clearly doing quite nicely by selling software that helped hack people’s webcams and access their computer files, being able to hire several paid administrators, including a director of marketing, customer service staff, and a director of marketing.

Between September 2010 and April 2014, Blackshades had generated sales of more than $350,000.

You can do your maths yourself to determine just how many people must have been buying the malicious software, and had within their power the ability to hack into stranger’s computers and spy upon them.

Yücel pleaded guilty earlier this year to distributing malware,

Although arrests have been made in relation to the Blackshades RAT malware, there are plenty of other tools and trojan horses in existence which can help strangers snoop upon you.

So what can you do to prevent webcam hackers?

Well, you could follow the example of delegates at the recent Infiltrate conference held at a swanky hotel in the city of Miami Beach.

According to press reports, the Fountainebleau hotel offers guests the use of an Apple Mac computer in every room.

So what do Infiltrate’s security-conscious delegates do when they get into their room and see the Mac (including built-in webcam)?

Why, they turn it around, unplug it, and put a towel over the monitor for good luck!

Hotel Mac

That approach may be a little extreme for some of us on our own computers, but when you use a PC or Mac in an environment where it is likely to have been used by strangers, you should certainly be aware that you cannot have much confidence regarding whether the device has already been compromised by malware.

When it comes to your personal computer – be it Mac or PC – make sure that you are always running the latest anti-virus and other security software, have kept your software patches updated, and be alert about opening unsolicited email attachments and clicking on potentially dangerous links.

Also, if you have internet-accessible cameras elsewhere in your house – such as baby monitors or CCTV – be aware that many such devices are sold with default or weak passwords that are child’s play for hackers to crack. Make sure to configure with unique, hard-to-guess passwords just as you would for, say, your bank account.

In addition, it should go without saying that you should also update your webcam’s firmware regularly to protect against newly discovered security holes and vulnerabilities.

Furthermore, although it can be circumvented in some cases, keep a keen eye out for the webcam’s LED lighting up unexpectedly as it may imply unauthorised access by an application – perhaps being controlled remotely by a hacker or peeping tom.

Finally – cover it and unplug it. If you can, disconnect the webcam if you only use it infrequently but at the very least put a Post-It note over the lens so you can choose when you want to be “on camera” and when not.

Author Graham Cluley, We Live Security

  • zlatty

    All a ploy to get Rand Paul’s NSA spy camera blockers:

  • Tom

    Thanks Graham, nothing new to me, but I have been aware of this my days in South Africa. I was working for a company, and we were installing Carephone911 into homes during the armed robberies and murders that is now out of control as we speak. At that time during the 1986 onwards I was very much into the world of security equipment, and the installation of this type of system. This product would be connected to your telephone line first then the telephone would be linked to this united. It was mainly sold to people such as the old and fragile and those with swimming pools. So instead of installing an alarm system, this would be the cheaper option for protecting your family against armed intruders, even preventing young children drowning in your pool. Well, how did this work, for a start the company installed a very sensitive microphone and could handle camera’s as an option. Once the alarm was activated, the united would contact our local control monitoring centre where our operators would listen in to the home, and see through camera’s that were installed in or outside the home. When demonstrating the effectiveness of this very clever devise, we had to demonstrate to the prospect how important it was to have such a united installed for total safety. We would plug our demo model into the customers phone jack, then his phone into our unity, and start our home demonstration. “The Pool Demo” Should you discover that your child was not to be seen in the home for the last 15/20 minutes, our first reaction would be to go to the pool area, and is heart wrenching to all of us is that we see our child floating or is at the bottom of the pool. Press your remote button which is hanging around your neck and the call will be made to our monitoring centre within minutes. The operator would not speak first (for other reasons I will not mention here) It would be up to the person who pushed the PANIC BUTTON first, so tell the operator what is happening. At this point for this demo I would have gone out side to the pool area, closing the sliding door leaving the prospect inside to tell me if the operator had heard me. I would shout out,… Help me, … Help me, .. I need assistance, my child is dead, I need paramedics. Now the customers inside the house could not really hear my voice to clearly, but this Carephone 911 unity had a very sensitive mic built in, and the operator repeated every single word for word. Well guess what, the customer would not let us disconnect the unit. SOLD and installed the same day. We saved a lot of lives and the proved to be brilliant. But there is one little secret, yes it can also be used for ears dropping too.

  • MyDisqussion

    Towels are not a good solution, unless you are absolutely sure that the computer is off. A towel will cause it to overheat. Black electrical tape can cover the camera, but make sure to stick two pieces together where it goes over the lens to avoid leaving residue.

    Also, stickers are available from many places online which don’t leave any residue.

Follow us

Copyright © 2017 ESET, All Rights Reserved.