Hackers plant child sexual abuse images on legitimate websites – could it be ransomware?

Police stop signThere’s a disturbing report from the Internet Watch Foundation (IWF) today, describing how hundreds of legitimate business websites have been hacked in the last few weeks in order to unwittingly host disturbing images of child sexual abuse.

According to the IWF, the files being hosted on the hacked websites include illegal and upsetting images of children under the age of two being raped and sexually tortured.

It’s important to realise that the illegal content is not being directly linked to from the hacked website itself. You’re unlikely to visit a website selling furniture and stumble across a folder containing hundreds of child abuse images.

Instead, the IWF says that links to the offending content have been planted on adult pornographic websites.

It works like this:

  • An internet user would be surfing adult content (website A).
  • Upon clicking an image or video on the adult site they would unknowingly be redirected to a folder containing the child sexual abuse images – which had been placed on the hacked website (website B).
  • The administrators of the adult site and the hacked site would not know this is happening – a third party has set up the ‘diversion’ from one site to another and planted the folder of images.

What’s interesting is that the IWF reports that the way people might encounter this content is by visiting adult porn websites, only to find themselves redirected to the child abuse images.

The intriguing question is what’s the motive for an attack like this?

Could it be that rival adult websites are attempting to damage the reputation of their X-rated competitors? Clearly sites would be in hot water if they were seen to be driving web traffic to illegal content, and could find themselves in the firing line for being perceived to help with the distribution of child sexual abuse material.

Sign up to our free newsletter.
Security news, advice, and tips.

Another possibility is that it could be anonymous hackers, who might have a vendetta against the adult industry or decided to take a stand against those who consume unpleasant online images and movie.

I think it is unlikely that the offending images have been planted on the legitimate websites for the purposes of delivering the illegal content to paedophiles. It just doesn’t seem plausible to me, and the chances for being discovered are too great.

The child sexual abuse images being discussed here are frequently accompanied by a malware attack – more specifically, the type of malware known as ransomware which often poses as an official warning from the authorities that a computer has been determined to be accessing child porn.

Here is an example of the type of message typically seen by a ransomware victim:

Example of ransomware

Ransomware typically locks your PC, and demands that you pay a fine online to regain access, often pretending to be a message from the police. And believe me, such messages can be very convincing. Last month, a man turned himself into the FBI for “child porn” after his laptop displayed a ransomware pop-up warning.

Wouldn’t it be an altogether more convincing and successful scam if the victims *had* been visiting adult websites, and found themselves unexpectedly looking at child abuse images?

What better way to scare someone into paying a ransom than to tell them that they have been spotted accessing child pornography? Many people who receive a message like that would be petrified of contacting the police to check if it’s true, or taking your PC down to the local computer store to be checked over…

… and it’s even more terrifying if your computer *had* unexpectedly accessed child abuse material while you were furtively accessing a (legitimate but seedy) adult porn website.

Remember to keep your computer system up-to-date with the latest security patches and anti-virus software definitions, and to be careful about what links you click on.

And, if you’re a business with a number of orphaned and dormant websites that aren’t being properly maintained to keep the hackers out – here’s another reason why it might be wise to run a tighter ship in future, or potentially risk your company being associated with the dissemination of child sexual abuse images.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “Hackers plant child sexual abuse images on legitimate websites – could it be ransomware?”

  1. Jim

    Interesting theory, but my reading of the situtation is that the images are hosted on legitimate websites to shift the onus of blame (and possibly lessen bandwidth). As we've seen with torrent search sites, if you claim to be 'just indexing' then its harder to shut you down. If you're actually hosting the images yourself, then the local authorities will contact the ISP and shut you down in days.
    The ransomware you mention (with the marvelously mis-spelt title and dodgy photohop montage!) typically loads on startup, and won't allow the PC to be used for anything else. I don't believe there is any connection at all with the PC being used to access pornography, its just a full screen app that stops you doing anything else but paying the ransom. But its easy enough to disable if you have access to another computer where you can find the instructions on the Internet.

    1. Graham CluleyGraham Cluley · in reply to Jim

      Thanks for your thoughtful response.

      The IWF confirmed to TechWeekEurope that malware is being distributed alongside the offending images. See http://www.techweekeurope.co.uk/news/websites-hacked-child-abuse-malware-123765

      Yes, a lot of ransomware does contain spelling mistakes and obvious "clues" that might tip off some users that something fishy is afoot. The screenshot I used is just an example to illustrate how ransomware can appear. My point is that if a PC is locked by recently installed malware *after* the user recently (accidentally) visited a website hosting child sexual abuse images, they are even more likely to pay the "fine".

      And although you say ransomware is easy to disable if you have access to another computer, in my experience the typical computer user *would* struggle without a lot of handholding. And, if they have been accused of viewing illegal images of child abuse, they might not be keen to share their problem with others.

      But, yes, there are some unanswered questions here. Maybe in time we'll find out the truth of what was going on.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.