There is a site called Hire2Hack that also accepts requests to "recover" passwords. Here the cost of the service starts from $150. I don't know about the rest, but you have to give them information about yourself because you are going to pay them. To register, you need to provide a username, email, password, and so on. The funny thing is that they even accept Western Union transfers for payment.
It's worth noting that usernames are very valuable information, especially when tied to an email address. Tell me, which of you indicates your real name when registering a mailbox? Nobody, this is fun!
So, email addresses are valuable information, especially if you're shopping online or want to track down a spouse's fling on a dating site. If you are a seller, you can use your email addresses to check which of your customers or your subscribers are currently using the services of any of your competitors.
Therefore, phishing scammers pay a lot of money for real user addresses. In addition, they use password and login recovery windows to mine valid email addresses using timing attacks. Numerous major e-commerce and social media portals have considered the theft of valid email addresses as a problem that can cause great damage since interesting studies in this area have been published. So we have to fight on two fronts - against timing attacks and against information leaks of this kind.
Turning e-coupons into money
Jeremy Grossman: So we've looked at three types of online scams and now we're upping the ante. The next way is to monetize eCoupons. These coupons are used for online purchases. The customer enters their unique ID and a discount is applied to their purchase. Major online merchants offer customers a discount program that has been supported by AmEx.
Many of you know that coupons offer a discount from a few to a couple of hundred dollars and come with a 16-digit ID. These numbers are very static and usually come in order. At first, only one coupon was allowed per order, but then, as the popularity of the program grew, these restrictions were removed, and now more than 3 coupons can be used with one order.
Someone has developed a script that tries to identify thousands of possible valid discount coupons. Sellers are aware of orders worth more than 50 thousand dollars, which instead of money were paid with 200 or more coupons. Agree, this is a good Christmas present!
The problem went unnoticed for a long time because the program worked great, everyone used the coupons and everyone was happy. This continued until the program's workload planning system detected a 90% increase in CPU usage while people scrolled through the ID numbers, choosing the ones that offered a discount.
The merchants asked the FBI to investigate this case, as they suspected something was wrong. But the problem was that the goods were sent to a non-existent address, and this confused them. It turned out that the attacker colluded with the delivery service, which "intercepted" the goods in advance.
What is interesting in this case is that coupons are not a currency, they are only marketing tools. However, business logic errors led to the fact that it became necessary to involve the Secret Service, which also faced the facts of fraud by the delivery service, which used the system to its advantage.
Making money on fake accounts
Trey Ford: this is one of my favorite stories. "Real Life: Hacking 'Office Space'. I think you've seen the hacker movie Office Space. Let's take a look at this process. How many of you used online banking?
Great, everyone admitted that they used it. There is one interesting thing - the ability to pay bills online using the ACH system. ACH's "automated clearing house" works like this. Let's say I want to buy a car from Jeremy and I'm going to transfer money directly from my account to his account. Before I make the principal payment, my financial institution needs to make sure we're all set. Therefore, at first the system transfers some meager amount, from a few cents to 2 dollars, to check that the financial accounts and routing addresses of the parties are in order and the client has received this money. Once they are satisfied that this transfer went through properly, they are ready to send the full payment. You can speculate about whether this is legal, whether it complies with the terms of the user agreement, but tell me, how many of you have a PayPal account? How many people have multiple PayPal IDs? This is probably quite legal and in accordance with the Terms & Conditions.
Now imagine that this mechanism can be used to earn a lot of money. We are talking about using the effect of creating, say, 80 thousand such accounts by setting up a simple script. The only thing to note is that we started our story by using a local proxy, RSnake script, other hacking tool that should help us make money, but now we are going to come back and show how to make hacking much easier, so that for earnings it would be possible to use only one browser.
This particular attack is individual. 22-year-old Michael Largent from California used a simple script to create 58 fake brokerage accounts. He opened them in Schwab, eTrade and some other systems, assigning the names of cartoon characters to the fake users of these accounts.
For each of these accounts, he used only a test transfer through the ACH system, without making a full transfer of funds. But he owned a common account, to which all these verification funds flowed, and then transferred them to himself. It sounds good - this is not much money, but in total they brought him a very solid income. That's how he made money, following the idea of the film "Office Space". The most interesting thing is that there is nothing illegal here - he just collected all these tiny amounts, but he did it very quickly.
On the Google Checkout system, he earned $ 8225, on the eTrade and Schwab systems - another $ 50225. Then he withdrew this money to a credit card and appropriated it. When the bank discovered that all these thousands of accounts belonged to one person, the bank employees called him and asked why he did this, does he not understand that he is stealing money? To which Michael replied that he did not understand and did not know that he was doing something illegal.
This is a very good way to build new relationships with the Secret Service people who follow you around and want to know as much as they can about you. Once again, the funniest thing about this scheme is that there was nothing illegal here. He was detained on the basis of the Patriot Act, "Patriot Act." Who knows what the Patriot Act is?
That's right, this is a law that expands the powers of special services in the field of countering terrorism. This guy used names from cartoons and comics, so they were able to arrest him for using fake usernames. So those of you here who are using fictitious names for their mailboxes should be careful - this may be considered illegal!
The Secret Service indictment was based on four counts: computer fraud, internet fraud, and email fraud, but the act of receiving the money was found to be perfectly legal because he was using a real account. I can't tell if it was done correctly or not, ethically or not, but in principle everything Michael did was in accordance with the Terms & Conditions given on the websites, so perhaps it was just such an additional feature.
Hacking banks through ASP
Jeremy Grossman: you know, I travel a lot, and I meet people who are technically savvy or, on the contrary, do not understand technology at all. And when we talk about life, they ask where I work. When I answer that I work in information security, they ask what it is. I explain and then they say, "oh, so you can break the bank"!
So, when you start explaining how you can actually hack a bank, you mean hacking through financial application providers ASP. Application Service Providers are companies that rent their own software and hardware to their customers - banks, credit unions, and other financial companies.
Their services are used by small banks and similar companies that are not financially profitable to have their own software and hardware. So they rent ASP capacity, paying them monthly or yearly.
ASPs are getting a lot of attention from hackers because instead of breaking one bank, they can break 600 or a thousand banks at once. So ASPs are a very interesting target for the bad guys.
So, ASPs serve a whole bunch of banks based on the three most important URL parameters: client_ID, bank_ID, and acct_ID. Each ASP client has its own unique identifier, which can potentially be used on multiple banking sites. Each bank can have any number of user accounts for each financial application - savings system, account checking system, payment system, and so on, and each financial application has its own ID. Moreover, each client account in this application system also has its own ID. Thus, we have three systems of accounts.
So, how do we hack 600 banks at the same time? First of all, we look at the end of a URL string like this: and we try to replace acct_id with an arbitrary value #X, after which we get a large, highlighted in red, error message with the following content: “Account #X belongs to Bank #Y” (account #X belongs to bank #Y). Next, we take the bank_id, change it in the browser to #Y and get the message: “Bank #Y belong to Client #Z” (bank #Y belongs to client #Z).
Finally, we take the client_id, assign #Z to it - and that's it, we get into the account we originally wanted to get into. After we have successfully hacked the system, we can get into any other bank account, or bank, or client account in the same way. We can get to every account in the system. There is no hint of authorization here at all. The only thing they check is that you are logged in with your ID, and now you are free to withdraw money, make a transfer, and so on.
One day, one of our non-ASP clients forwarded our information about this vulnerability to another client who was using ASP and informed them that there was a problem that needed to be fixed. We told them that we would probably have to rewrite the whole application to introduce authorization and the system would check if the client had the right to make financial transactions, and that this would take some time.
Two days later they sent us a reply telling us that they had already fixed it themselves - they fixed the URL so that the error message no longer appears. Of course it was cool and we decided to look at the source code to see what they did with their "great" hacking technique. So, all they did was stop displaying an error message in HTML format. In general, we had a very interesting conversation with this client. They said that since they were not able to fix this problem quickly, they decided to do so for the time being, hoping to completely fix the vulnerability in the long term.
Reverse money transfer
Another method of fraud, which I will talk about very briefly, is a reverse money transfer. This operation is performed in many banking applications. When transferring $10000 from account A to account B, the operation formula should logically work like this:
A = A - ($10,000)
B = B + ($10,000)
That is, $10000 is withdrawn from account A and added to account B.
Interestingly, the bank does not check whether you enter the correct transfer amount. For example, you can replace a positive number with a negative one, that is, transfer $_10000 from account A to account B. In this case, the transaction formula will look like this:
A = A - (-$10,000)
B = B + (-$10,000)
That is, instead of debiting funds from account A, they will be debited from account B and credited to account A. This happens from time to time and brings interesting results. At the bottom of this slide you see a link to a research article .
It describes similar things that happen with rounding errors. This article by Corsaire has a lot of interesting stuff that has served as material for some of our own solutions.
But back to the previous problem. We contacted the ASP security team and received the following response: "Internal business controls will prevent such problems." We said, "OK, let's take a look at their website." A few weeks later, when we continued to work with our client, we received this check from them in the mail:
It says here that this is a payment for testing conducted by our company WH in the amount of $ 2. This is how we make money!
This check is still on my desk. For two such tests, we can get as much as 4 bucks!
But a few months later we heard from a specific customer that $70000 had been illegally transferred to one of the Eastern European countries. The money could not be returned because it was already too late and ASP had lost their client. These things happen, but what we never found out, because we are not forensic scientists, is how many other clients were affected by this vulnerability. Because everything in this scheme again looks quite legal - you just change the appearance of the URL.
Shopping from TV stores
Trey Ford: Now I'm going to tell you about a really technical hack, so listen carefully. We all know a little TV station called QVC, I'm sure you sometimes buy something from this TV shop.
Know that when you buy something online, regardless of the website, don't click anywhere, because your order will be processed right after that! You may immediately change your mind and stop the transaction. But in a few days you will receive a bunch of junk in the mail, for which you must immediately pay.
Here is Quantina Moore-Perry, a 33-year-old certified hacker from Greensboro, North Carolina. I don't know what she did for a living before, but I can tell you how she started making money after a random transaction that she allegedly made, although she canceled the transaction on the site almost immediately.
All these “ordered” things began to come to her postal address from QVC - women's handbags, household appliances, jewelry, electronics. What would you do if someone sent you something in the mail that you didn't order? That's right, nothing! Clearly, our people...
However, you get free shipping, and free shipping is a benefit! After all, the parcels are already in the mail, you do not need to send them anywhere. If this is a standard business process, how can it be used? What to do with the 1800 parcels that came to her postal address from May to November? So, this woman put all these things on eBay, and as a result of selling all this junk, she made a profit of $ 412000! How she did it - very simple! She said at the post office that someone ordered all these packages with QVC to her address, but it is very difficult for her to repack them and send them to the recipients, so let them be sent in the original QVC packaging!
As you can see, this is a very technical solution! However, QVC became concerned about this issue after 2 people who bought the item on eBay received it in QVC packaging. A federal court found the woman guilty of mail fraud.
Thus, a simple technical hitch with the cancellation of orders made allowed this woman to earn a huge amount of money.
37:40 min
Some ads 🙂
Thank you for staying with us. Do you like our articles? Want to see more interesting content? Support us by placing an order or recommending to friends, , 30% discount for Habr users on a unique analogue of entry-level servers, which was invented by us for you: (available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only here in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $99! Read about
Source: habr.com