Blackshades - National Crime Agency

Blackshades is a nasty form of creepware that can take control of a computer remotely and give hackers a dangerous amount of access to your data. A worldwide law enforcement operation this month caught the creators of the software, and arrested many who were engaged in criminal use. We explore the story, and see what damage Blackshades wreaked.  

The National Crime Agency recently announced the successful execution of an unprecedented, nationwide operation that saw 17 cyber-criminals arrested  across the United Kingdom. In an official statement, the Agency reported that ‘a week of arrests, searches and seizures has involved nearly every UK Regional Organised Crime Unit (ROCU), as well as Police Scotland and the Metropolitan Police.’

The operation was part of a global effort, headed by the FBI, that involved nineteen different countries, and resulted in over ninety arrests, all related to the criminal use of a malicious software called Blackshades. This nasty creation belongs to the malware subset known as creepware, and enables hackers to remotely access a victim’s computer, control its webcam to take pictures without them knowing, access and download files, plus the theft of usernames and passwords. Hackers don’t even have to know that much about coding either as the Blackshades suite is one of the many malware tools that are sold online through forums and secret sites.

Security specialists Symantec reported that ‘Blackshades is a popular and powerful remote access Trojan (RAT) that is used by a wide spectrum of threat actors, from entry level hackers right up to sophisticated cybercriminal groups. Blackshades was sold on a dedicated website,, for US$40-$50. Competitively priced, with a rich feature list, Blackshades provides the attacker with complete control over an infected machine. A simple point and click interface allows them to steal data, browse the file system, take screenshots, record video, and interact with instant messaging applications and social networks.’

This particular creepware first came to public prominence in the United States last year when the then Miss Teen USA, Cassidy Wolf, reported that she had been sent an anonymous email which stated the sender had naked pictures of her, secretly captured by her own computer which had been infected with Blackshades, and that they would be posted on the web unless she sent more illicit images to the attacker. This particular case ended with the hacker, Jared James Abrahams, being imprisoned for 18 months, but highlighted the potential threat that Blackshades posed to unwary users.  

The National Crime Agency revealed that the creepware was disturbingly easy to deliver to a victim’s machine. ‘People are typically infected by clicking on external links on social networking and communication platforms. Instead of viewing a picture or video, the victim unwittingly installs the malware. In many cases, those affected will have no indication they are infected.’

The ease of use and low cost entry point means that Blackshades has achieved widespread use, with the FBi estimating that it ‘was sold and distributed to thousands of people in more than 100 countries and has been used to infect more than half a million computers worldwide.’ The NCA also reported ‘Investigators believe that around 200,000 usernames and passwords of victims across the world may have been extracted by Blackshades users in the UK.’

Symantec reported that Blackshades wasn’t limited to ogling and blackmailing young beauty queens, ‘Organised cybercriminal groups have netted millions of euro in well-organized attacks, transferring large sums of money using Blackshades infected computers’ its blog read. ‘In a recent operation dubbed Francophone, Blackshades was used as part of a sophisticated social engineering scheme to target French companies in financially motivated attacks. Total financial losses involving Blackshades activity would be hard to accurately gauge, however individual cases indicate they are significant. Blackshades was also observed in politically motivated attacks during The Arab Spring. Political activists were targeted in Libya and Syria during the uprisings with one variant...’

Blackshades - National Crime Agency

The originators of the software are thought to be US citizen Michael Hogue and Swedish national Alex Yucal. Hogue had already been arrested and has subsequently admitted his guilt, while Yucal was detained in Moldova and is awaiting extradition to the US where he has been indicted for the cyber-crimes. Yucal drew particular attention from the law enforcement organisations due to his commercialisation of the Blackshades software.

‘Yucel ran his organisation like a business’ the FBI reported, ‘hiring and firing employees, paying salaries, and updating the malicious software in response to customers’ requests. He employed several administrators to facilitate the operation of the organization, including a director of marketing, a website developer, a customer service manager, and a team of customer service representatives.’

Blackshades - National Crime Agency

This is not uncommon in the current trend of security breaches, where enterprising hackers will develop software and then sell it on rather than use the exploits themselves. It’s a viable business as long as they can evade the authorities, something that might be harder to do now that governments are responding to the increasingly dangerous attacks that these suites can enable.

‘This has been a superbly co-ordinated intelligence-led international policing response to a specific emerging cyber crime threat,’ stated National Policing lead on e-crime, Deputy Chief Constable Peter Goodman, ‘It demonstrates the determination of the National Crime Agency, its partners overseas and the UK’s newly-established regional cyber crime units to identify, trace and disrupt those whose potential criminal activity presents a threat to the public’s lawful use of the intranet.?? It also sends out a clear message to cyber criminals that we have the technology, capability and expertise to track them down, and should, I hope, reassure the public that the police can and will respond effectively to the reports we receive about the criminal use of computer networks and malware to by-pass security measures we rely on to keep our personal data safe.’

Although Blackshades is now high profile and the distribution site has been taken down, the initial packages sold are still out in the wild, so the threat remains active. By the time you read this all of the security software suites should have detection enabled for the specific file types and executables that the malware uses, so, as always, ensure that your versions are up to date and that any patches are applied. Blackshades isn’t the only creepware out there, and more will be on the way. The best way to protect yourself is still to think before you click on links, don’t download anything from unfamiliar sites, and maybe consider the fact that when you’re using your computer the camera just might be watching you.