Torrent Sites May Expose Millions to Malware

Online-forum users will argue in circles until they're blue in the face about the legality of torrenting copyrighted material, but one thing seems clear: It's not nearly as safe as using legitimate channels. A recent report suggests that one out of every three torrent websites is replete with browser-attacking malware, resulting in an approximate 12 million users exposed to (but not necessarily infected by) harmful software each month.

Credit: Alex Skopje/Shutterstock

(Image credit: Alex Skopje/Shutterstock)

The research comes from a paper entitled "Digital Bait," courtesy of the Digital Citizens Alliance (DCA), an advocacy group that tries to protect consumers from illicit downloads, identity theft and intellectual-property infringement. To be clear, the organization is not unbiased: It seems to take particular aim at digital piracy, asserting (potentially correctly) that malware delivered through file sharing can steal a user's private information. The paper makes a few suggestive points in this regard.

MORE: Best Antivirus Software and Apps

(The organization also asserts that piracy is theft and "harmful to both creators and consumers" — a defensible position, albeit one sure to ruffle some online feathers. It deems torrent sites as "content theft" sites, despite the fact that much of what is torrented, such as open-source software, is done so entirely legally. In a December 2014 story, The New York Times identified the DCA as a pressure group funded by the motion-picture industry that tried to get state attorneys general to build cases against Google.)

The DCA, working in conjunction with RiskIQ, a San Francisco-based cybersecurity firm, studied 800 popular torrent sites, and found that they're not exactly the safest destinations online. While this won't surprise anyone who has become adept at navigating around the endless stream of shady advertisements and pop-ups inherent in the system, the numbers are still not encouraging.

One-third of the sites contained links to malware, either as fake downloads, drive-by downloads (potentially from malvertising), pop-ups and phony download links — and this figure did not take into account malware that resulted from clicking on malicious advertisements, or from actually downloading the shared files listed on the torrent sites. RiskIQ calculated that browsing to a "content theft" website was approximately 28 times riskier than navigating to a legitimate streaming or download site.

Even users who have become adept at ignoring the misleading download links and getting just the content they want are not necessarily free from risk. The study asserts that while the majority (55 percent) of malware comes from user-initiated download -- such as clicking on a fake antivirus pop-up windows -- the remaining 45 percent comes from drive-by downloads that begin as soon as the page is loaded, regardless of input.

This does not necessarily mean that the user actually has to download said files, of course; many operating systems block uninitiated downloads by default. Even if, for example, an .EXE file makes its way into the Downloads folder, the user usually does not have to actually install anything.

While RiskIQ's assertion that 12 million users face these ads each month may be accurate, the company did not hazard a guess as to how many users actually contract malware. While the number is almost certainly not zero, it's almost certainly not 12 million, either.

Furthermore, even a malware download is not always a death sentence. Users who are savvy enough to use torrents are likely also savvy enough to run an antivirus sweep to get rid of the run-of-the-mill malware that clog up many torrent sites. Not every torrenter will successfully avoid malware, and not every malicious program is easy to scrub, but it's not quite as apocalyptic as the DCA suggests, either.

Rightly or wrongly, the DCA has a particular bone to pick with digital piracy. The paper's conclusion, instead of citing the study's numbers to support its findings, simply opines on the immorality of file sharing. Furthermore, the math used is fuzzy, at best: the paper does not describe exactly how it differentiated misleading downloads from ads that link to other sites, which it purposely avoided.

Although it's best to take "Digital Bait" with a grain of salt, its primary assertion — that torrent sites are often filled with malicious ads and other browser-attacking malware — is hardly wrong. Furthermore, its contention that digital piracy equates to content theft, and has harmful economic repercussions, is a justifiable position, albeit one that's often up for vigorous debate.

If you frequent torrent sites, it's best to take some extra precautions, such as installing a good antivirus program and a modicum of reluctance to click on anything that's not very clearly your download link. You might also consider disabling Adobe Flash Player, which many malicious ads exploit, or at least setting it to click-to-run, and doing the same with Java and Microsoft Silverlight plugins. Beyond that, it's between you, your computer, and your conscience.