Security Watch

Keeping Track of patches and hacks in the IT security world.

Some Net Crimes Still Easy Money

Time machine alert: I'm still working to unload my Black Hat bloggers' notebook, as I was caught up doing work for my day job most of the time I was in Las Vegas. And, you know, hitting all the parties. One of the cooler demonstrations that I had the chance to attend

Time machine alert: I'm still working to unload my Black Hat bloggers' notebook, as I was caught up doing work for my day job most of the time I was in Las Vegas.

And, you know, hitting all the parties.

One of the cooler demonstrations that I had the chance to attend was the aptly named "Get Rich or Die Trying -- Making Money on the Web, the Black Hat Way," hosted by WhiteHat Security's Jeremiah Grossman and Trey Ford.

The underlying theme of the presentation truly jibed with the mojo conjured by rapper 50 Cent in his music and film of the same name, being basically that people can put one over on the system as long as they're willing to look hard enough for the only available ways they can still do so, and be willing to accept the related risks.

In the electronic world it's clearly still a lot easier to make it happen than on the streets, where 50 Cent in the movie had to deal drugs and dodge bullets to subsequently make his rapping dreams come true. The list of scams demonstrated by the WhiteHat dudes -- which placed emphasis on finding grey areas through which to commit shady online operations not specifically addressed by law -- seem woefully less dangerous by comparison ... and in most cases far more profitable.

Grossman characterized the techniques outlined, which included everything from gaming e-coupons to manipulating the stock market, as being achieved through mere bending of the "parameters of legality to make cash." And the examples he used clearly illustrated that the larger world is still having a hard time aligning its rules with the electronic universe.

For instance, for relatively short change, scammers are selling services that offer to help aspiring hackers or spies beat CAPTCHAs, the ubiquitous automated tests used to distinguish between machines and humans online.

As with the other techniques outlined by the experts, whether doing so is actually illegal remains pretty unclear. However, the practice has grown so robust that it has already spawned a price war among involved providers, and one that spans almost the entire globe.

At the high end, Grossman and Ford highlighted the case of some savvy Estonian stock traders who figured out a way to guess the URLs of corporate financial reports awaiting release on Business Wire, allowing them to trade stocks on the data before it was released publicly.

When the traders eventually got their day in court, a judge decided that they hadn't actually engaged in insider manipulation as described by the applicable laws.

That's the big point that the researchers were trying to make, that we need new laws and policies to help prevent some of these gray area attacks from getting over -- because in some cases, while clearly unfair or illegitimate, these attacks are not officially illegal, at least not in the manner that they should be.

Other similarly illicit yet unaccounted-for scams the experts exposed included:

-Scamming e-coupon systems by guessing the numbers of unused offers and adding them together to buy thousands of dollars of online goods.

-Signing up for thousands of online bank accounts, and using money transfer verification services to get a few pennies deposited in each, then aggregating those funds and closing the accounts. Free money! (It's worth noting that the guy doing this made over $50,000 before getting nailed on a technicality of the Patriot Act, since the banks hadn't established a policy for this type of abuse).

-Hacking the systems of ASPs (application service providers) that serve online banking applications to brick and mortar banks. This one has allowed hackers to go after large groups of customers at once rather than one at a time, to the tune of over $70,000 in one case that involved reverse money transfers.

-Gaming QVC returns. Someone figured out how to place orders on the QVC site and then cancel them, but still receive the ordered goods, which he or she was not required by law to return. The involved party only got busted when the people he or she was reselling the goods to on eBay noticed that their stuff was arriving in unmolested QVC packaging. This one eventually led to wire fraud charges.

-Affiliate networks. We've all known about these for ages, and the systems by which cyber-scammers are making money for Web referrals they don't deserve, and doing so using cookies and other technological treats. Just release a small cookie that gets tacked onto people's browsers and then sit back and let them make money for you!

So, if you feel so obliged, start trying to find a new way to slither between existing online laws and you too might get rich ... you may end up getting busted, but it doesn't seem like you're going to die trying.

G Unit!!!

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to