Hackers use YouTube to sell stolen credit card numbers, group says

YouTube has thousands of videos promoting compromised credit card numbers, with the site sometimes running advertisements for legitimate credit cards or retail outlets alongside the hacker videos, according to a new report from an online safety group.

YouTube advertisements from credit cards and compromised retailers are, in effect, paying for videos advertising compromised credit card numbers, the Digital Citizens Alliance said in a report released Tuesday.

"It's troubling to see criminals infest YouTube in this way," said Tom Galvin, executive director of the Digital Citizens Alliance. "It's equally troubling to see [YouTube parent] Google profit from that via ads, because it speaks to whether or not Google has an incentive to take this stuff down."

When comparing ads for compromised credit card numbers on YouTube and on anonymous marketplace Silk Road, the group found "there isn't that big of a difference," Galvin added. "That's a scary thing. Silk Road is viewed as nefarious and the dark Web, and YouTube is viewed as a kind of a playground for everyone from preteens to adults."

The group ran several credit card-related searches on YouTube this year. The phrase, "how to get credit card numbers that work 2014," yielded 15,900 results. "CC info with CVV" (credit card info with card verification values) produced 8,800 results, and "buy cc numbers" produced more than 4,800 results.

"CC number with CVV" yielded nearly 4,200 results.

In some cases, the videos promoting compromised credit cards ran next to ads for American Express, Discover Card, Amazon.com and Target, which announced a data breach in December, according to the report.

A spokeswoman for Google, YouTube's parent company, said the company works hard to police videos there.

"Our guidelines prohibit any content encouraging illegal activities, including videos promoting the sale of illegal goods," she said by email. "YouTube's review teams respond to videos flagged for our attention around the clock, removing millions of videos each year that violate our policies. We also have stringent advertising guidelines, and work to prevent ads appearing against any video, channel or page once we determine that the content is not appropriate for our advertising partners."

Digital Citizens Alliance, which has targeted YouTube in the past for videos advertising steroids and prescription drugs, acknowledged that YouTube has a difficult job in policing the millions[m] of hours of videos uploaded there each day.

But Galvin called on YouTube to take a more proactive approach to flagging objectionable videos. The company could require a human reviewer to check videos with search terms associated with credit card fraud and other illegal activity, he said.

"If they took a dozen or so search terms and just took the time to create a review process around it, they could do a lot of good work," he said. "We're not suggesting their going to take onerous task of reviewing every video. That would be unrealistic, but they could isolate certain search terms."

YouTube's efforts right now focus on scrubbing videos after they are uploaded, but they keep coming back, Galvin said. The issue "is not being solved from a systemic standpoint," he added. "We've kind of made it a cause to keep pushing on Google to clean that up. I think we've only had moderate success on that front."

Asked why the latest report focuses solely on YouTube, Galvin said its size matters. "We've focused on YouTube because of the fact that ads run next to/during these videos promoting dangerous/illegal activities," he said by email. "We understand that platforms will have questionable things on them, but the fact that Google monetizes these videos on YouTube (the third most visited website) makes it different and we think noteworthy."

The Digital Citizens Alliance has issued about 20 reports since late 2012, including reports on Silk Road, Chinese counterfeits and Bitcoin in recent months, he noted. "Our work has looked at a whole range of topics, most of which have nothing to do with Google," Galvin said.

Galvin didn't disclose specifically where the group's funding comes from but members include Internet security groups, child safety groups and consumer groups. The group doesn't publish a list of its full membership, because of the "sometimes sensitive nature" of its investigations, he said.

Members of the group's advisory board include representatives of the National Consumers League, i-SAFE and the Association for Competitive Technology, a trade group focused on app developers but historically aligned with Google rival Microsoft.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.