Saturday, August 16, 2008

How to Hack a Million With No Tech Skills

SO EASY : How to Hack a Million With No Tech Skills

Business hacks reap money from e-commerce sites

No '133t' tech skills required in many cases

Tim Greene

Network World

August 8, 2008


Anyone with a sharp eye for flawed business logic and a dim view of business ethics can exploit e-commerce Web sites for millions of dollars, security experts told Black Hat attendees.

For instance, one could infer how well a business is doing on the stock market and make appropriate purchases or sales to reap millions, said Jeremiah Grossman, chief technology officer, and Arian Evans, director of operations at White Hat Data Security.

Ordering a company's stock online and receiving an order number, then doing the same thing later and comparing the order numbers, which in many cases are sequential, can indicate how much of a company's stock is being traded over that time interval, said Grossman, who with Evans presented "Get Rich or Die Trying -- Making Money on the Web the Black Hat Way." Buying or selling based on that can result in big profit, he said.

In addition, White Hat has come across other exploits in its work penetration-testing customers' Web sites, Grossman says.

In one instance, an Estonian financial firm managed to crack the URL format used by Business Wire for embargoed press releases that detailed earnings-related data about corporations. The firm used that data before it was public and profited by $8 million before the Securities and Exchange Commission caught the activity and halted it.

In a similar case, an Ukranian hacker broke into Thompson Financial for data on a health care firm and reaped $300,000. The SEC froze those funds, but a judge ordered them released to the hacker because the hacker wasn't an insider and therefore couldn't be charged with insider trading. He might have been charged with hacking, but he was in the Ukraine, where official cooperation with prosecution was unlikely, Grossman said.

During his talk, Grossman displayed checks for $132,994.97 and $901,733.84 from Google Inc. to people who used "cookie stuffing" to reap payments for driving traffic to Web sites.

The way it's supposed to work, someone with a Web site includes a link to an affiliated business' page. If a consumer clicks on it, his computer gets a cookie, and if he buys something later, that cookie notes what Web site referred the buyer, and that site gets a payment.

Scammers have developed elaborate schemes to exploit the system, Grossman said, starting with sites automatically hitting visitors with the marker cookie as soon as they visit the scammer's pages. All visitors get the cookie, not just those that click on the link. If a visitor later happens to buy something from an affiliated site, the scammer gets money.

E-commerce sites got smart and kicked out affiliate networks that made suspiciously high claims, Grossman said, but scammers responded by stuffing cookies from Secure Sockets Layer Web pages because the cookies don't reveal what pages they came from.

Online ordering systems can also be a risk to businesses, Grossman warned. Home shopping network QVC was hit for $412,000 in merchandise by one scammer because of a lag in its online ordering system, he said. Customers could order items online, then immediately cancel the order, but the order would be sent anyway.

A North Carolina woman took advantage of this: She ordered and canceled merchandise, then sold it on e-Bay. She was caught only because her customers thought it was odd that she was mailing the items in QVC packaging and reported her.

She wasn't prosecuted for selling the goods because they were legally hers, Grossman said. Rather, he says, she pleaded guilty to wire fraud.

Other potentially lucrative hacks include:

v Guessing the numbers of online discount coupons and buying merchandise with them. One scammer got $50,000 worth of merchandise and was caught because he entered his new batches of guessed coupon numbers all at once in the middle of the night, causing a suspicious spike in traffic that the merchant noticed. Items were sent to a nonexistent address, and a colluding postal worker intercepted them and turned them over to him. He was prosecuted for mail fraud.

v Setting up multiple bank accounts and arranging for transfers among them. Before banks actually make electronic transfers, they make a small transfer -- cents or a few dollars -- just to make sure the real transfer will work. Scammers arrange for large transfers to a central account, then cancel them after the dry-run transfer. Enough of those can add up, Grossman said.

v Cracking captchas, the distorted numbers and letters that some sites use to verify that a human being, not a machine, is contacting the site. Some captchas use the same number-letter combinations over and over, so automated guessing can work to crack them, said Evans. Some sophisticated optical scanners can read captchas, and there are even overseas businesses that offer to break them for cash.

No comments:

This Day in History

Thanks for your Visit