They went so far as to discuss the possibility of using UPS drivers to confront the suspect. Let's now check if what is quoted on this slide is legal?
Here is the FTC's response to the question, "Should I return or pay for an item I never ordered?" - "No. If you receive an item that you didn't order, you have the legal right to accept it as a free gift." Does this sound ethical? I wash my hands because I'm not smart enough to discuss such matters.
But what is interesting is that we see a trend in which the less technology we use, the more money we get.
Affiliate Internet Fraud
Jeremy Grossman: it is really very difficult to understand, but in this way you can get a six-figure amount of money. So, all the stories that you have heard have real links, and you can read in detail about all this. One of the most interesting types of internet scams is affiliate scams. Online stores and advertisers use affiliate networks to drive traffic and users to their sites in exchange for a share of the profits they make.
I'm going to talk about something that a lot of people have known for years, but I couldn't find a single public reference that would indicate how much loss this type of scam caused. As far as I know, there were no lawsuits, no criminal investigations. I've talked to manufacturing entrepreneurs, I've talked to affiliate network guys, I've talked to the Black Cats - they all believe that the scammers made a huge amount of money from the partnership.
I ask you to take my word for it and get acquainted with the result of the "homework" that I completed on these specific problems. On them, scammers "weld" 5-6-digit, and sometimes seven-digit amounts monthly, using special techniques. There are people in this room who can verify this, as long as they are not bound by a confidentiality agreement. So, I'm going to show you how it works. This scheme involves several players. You will see what a new generation affiliate "game" is.
The game involves a merchant who has some kind of website or product, and he pays affiliates commissions for user clicks, created accounts, purchases made, and so on. You pay an affiliate for someone to visit their site, click on a link, go to your merchant site and buy something there.
The next player is an affiliate who receives money in the form of a pay-per-click (CPC) or commission (CPA) for redirecting buyers to the seller's website.
Commissions imply that as a result of the partner's activities, the client made a purchase on the seller's website.
A buyer is a person who makes purchases or subscribes to the seller's shares.
Affiliate networks provide technology that connects and tracks the activities of the seller, partner and buyer. They "glue" all the players together and ensure their interaction.
It may take you a few days or a couple of weeks to understand how it all works, but there are no complex technologies here. Affiliate networks and affiliate programs cover all types of trade and all markets. Google, EBay, Amazon have them, their commission interests overlap, they're everywhere and don't lack income. I'm sure you know that even traffic from your blog can bring in several hundred dollars in monthly profits, so this scheme will be easy for you to understand.
This is how the system works. You affiliate a small site, or an electronic bulletin board, it doesn't matter, sign up for an affiliate program and get a special link that you place on your web page. It looks like this:
<a href=”http://AffiliateNetwork/p? program=50&affiliate_id=100/”>really cool product!</a>This lists the specific affiliate program, your affiliate ID, which in this case is 100, and the name of the product being sold. And if someone clicks on this link, the browser directs him to the affiliate network, sets special tracking cookies that associate him with the affiliate ID=100.
Set-Cookie: AffiliateID=100And redirects to the seller's page. If the buyer later purchases some product within a period of time X, which can be a day, an hour, three weeks, any agreed time, and during this time the cookies continue to exist, then the partner receives his commission.
This is the scheme that makes affiliate companies earn billions of dollars using effective SEO tactics. I'll give you an example. The next slide shows the check, now I'll zoom in to show you the amount. It's a check from Google for $132. The name of this gentleman is Schumann, he owns a network of advertising websites. This is not all the money, Google pays such sums once a month or once every 2 months.
Another check from Google, I'll increase it, and you'll see that it's written out for $901.
Should I ask someone about the ethics of these ways of earning money? Silence in the hall... This check represents 2 months' payment because the previous check was rejected by the recipient's bank due to the payout being too large.
So, we are convinced that such money can be made, and this money is paid out. How can this scheme be played? We can use a technique called Cookie-Stuffing, or Cookie Stuffing. This is a very simple concept that appeared in 2001-2002, and this slide shows what it looked like in 2002. I'll tell you the story of its appearance.
Nothing but the annoying service terms of affiliate networks requires the user to actually click on the link in order for their browser to pick up the cookie with the affiliate ID.
You can automatically load this URL, which is usually clicked by the user, into an image source or into an iframe tag. And instead of a link:
<a href=”http://AffiliateNetwork/p? program=50&affiliate_id=100/”>really cool product!</a>You are downloading this:
<img src=”http://AffiliateNetwork/p?program=50&affiliate_id=100/”>Or that:
<iframe src=”http://AffiliateNetwork/p?program=50&affiliate_id=100/”
width=”0” height=”0”></iframe>And when the user gets to your page, he will automatically pick up the affiliate cookie. At the same time, regardless of whether he buys something in the future, you will receive your commission, whether you redirected traffic or not - it does not matter.
Over the past few years, this has become a pastime for the SEO guys who post stuff like this on message boards and develop all sorts of scenarios for where else to place their links. Aggressive partners have realized that they can place their code anywhere on the Internet, not just on their own sites.
On this slide, you can see that they have their own cookie-stuffing programs that help users make their own "stuffed cookies". And it's not just one cookie, you can download 20-30 affiliate network IDs at the same time, and as soon as someone buys something, you get paid for it.
Soon these guys realized that they could not place this code on their pages. They abandoned cross-site scripting and simply began to post their small snippets with HTML code on message boards, in guest books, on social networks.
By around 2005, merchants and affiliate networks figured out what was going on, started tracking referrers and click through rates, and started kicking suspicious affiliates. For example, they noticed that a user clicks on a MySpace site, but that site belongs to a completely different affiliate network than the one that receives a legitimate benefit.
These guys got a little wiser, and in 2007 a new kind of Cookie-Stuffing was born. Partners began to place their code on SSL pages. According to Hypertext Transfer Protocol RFC 2616, clients must not include a Referer header field in an insecure HTTP request if the referring page has been migrated from a secure protocol. This is because you do not want this information to be leaked from your domain.
From this it is clear that no Referer sent to the partner will be untraceable, so the main partners will see an empty link and will not be able to kick you out for it. Now scammers have the opportunity to make their own “filled cookies” with impunity. True, not every browser allows you to do this, but there are many other ways to do the same, using the automatic updating of the current page of the browser meta-refresh, meta tags or JavaScript.
In 2008, they began to use more powerful hacking tools such as rebinding attacks - DNS rebinding, Gifar and malicious Flash content that can completely destroy existing protection models. It takes some time to figure out how to use them, because the Cookie Stuffing guys aren't really advanced hackers, they're just aggressive marketers who don't know much about coding.
Sale of semi-available information
So, we looked at how to earn 6 figures, and now let's move on to seven figures. We need big money to get rich or die. We will look at how you can make money by selling semi-available information. Business Wire was very popular a couple of years ago and it's still important, we see it on many sites. For those who don't know, Business Wire provides a service where registered users of the site receive a stream of up-to-date press releases from thousands of companies. Press releases are sent to this company by various organizations, which are sometimes temporarily banned or embargoed, so the information contained in these press releases may affect the value of the shares.
Press release files are uploaded to the Business Wire web server but not linked until the embargo is lifted. All the while, press release web pages are linked to the main website, and users are notified about them with URLs like this:
http://website/press_release/08/29/2007/00001.html http://website/press_release/08/29/2007/00002.html http://website/press_release/08/29/2007/00003.htmThus, while you are under the embargo, you post interesting data on the site so that as soon as the embargo is lifted, users will immediately familiarize themselves with them. These links are dated and sent to users by email. As soon as the ban expires, the link will work and direct the user to the site where the relevant press release is posted. Before granting access to the press release web page, the system must ensure that the user is logged in legally.
They do not check if you have the right to see this information before the embargo expires, you only need to log in to the system. So far it seems harmless, but just because you can't see something doesn't mean it's not there.
The Estonian financial company Lohmus Haavel & Viisemann, not a hacker at all, discovered that press release web pages were named in predictable ways and started guessing those URLs. While links may not yet exist because an embargo is in effect, this does not mean that a hacker cannot guess the file name and thus access it prematurely. This method worked because Business Wire's only security check was that the user logged in legally, and nothing else.
Thus, Estonians received information before the market closed and sold this data. Before the SEC tracked them down and froze their accounts, they managed to earn $ 8 million trading semi-available information. Consider that these guys just looked at what links look like, tried to guess URLs, and made 8 million from it. Usually at this point I ask the audience whether this is considered legal or illegal, whether it relates to the concepts of trade or not. But for now, I just want to draw your attention to who did it.
Before you try to answer these questions, I'll show you the next slide. This has nothing to do with internet scams. A Ukrainian hacker hacked into Thomson Financial, a provider of business intelligence, and stole IMS Health's financial distress hours before the information was supposed to enter the financial market. There is no doubt that he is guilty of burglary.
The hacker placed orders to sell in the amount of 42 thousand dollars, playing until the rates fell. For Ukraine, this is a huge amount, so the hacker knew well what he was getting into. The sudden drop in the stock price brought him about $300 in profit within a few hours. The exchange posted a Red Flag, the SEC froze the funds, noticing that something was going wrong, and launched an investigation. However, Judge Naomi Reis Buchwald said the funds should be unfrozen because Dorozhko's alleged "stealing and trading" and "hacking and trading" do not violate securities laws. The hacker was not an employee of this company, so he did not violate any laws on the disclosure of confidential financial information.
The Times newspaper suggested that the US Department of Justice simply considered this case futile due to the difficulties associated with obtaining the consent of the Ukrainian authorities to cooperate in the capture of the criminal. So this hacker got 300 thousand dollars very easily.
Now compare this to the previous case where people made money just by changing the URLs of the links in their browser and selling commercial information. These are quite interesting, but not the only ways to make money on the stock exchange.
Consider passive information gathering. Usually, after making an online purchase, the buyer receives an order tracking code, which can be sequential or pseudo-sequential and looks something like this:
3200411
3200412
3200413
With it, you can track your order. Pentesters or hackers try to "scroll" URLs in order to access order data, usually containing personally identifiable information (PII):
http://foo/order_tracking?id=3200415
http://foo/order_tracking?id=3200416
http://foo/order_tracking?id=3200417By scrolling through the numbers, they gain access to credit card numbers, addresses, names and other personal information of the buyer. However, we are not interested in the client's personal information, but in the order track code itself, we are interested in passive intelligence.
The art of drawing conclusions
Consider The Art of Drawing Inferences. If you can accurately estimate how many “orders” a company is processing at the end of the quarter, then based on historical data, you can conclude whether its financial situation is good and in which direction its share price will fluctuate. For example, you ordered or bought something at the beginning of the quarter, it doesn't matter, and then made a new order at the end of the quarter. By the difference in numbers, we can conclude how many orders were processed by the company during this period of time. If we are talking about a thousand orders versus a hundred thousand for the same period, you can assume that the company is doing poorly.
However, the fact is that often these sequence numbers can be obtained without actually fulfilling an order or an order that was subsequently canceled. Hopefully those numbers don't show up anyway and the sequence continues with the numbers:
3200418
3200419
3200420
This way you know that you have the ability to track orders and can start passively collecting information from the site that they provide to us. We don't know if it's legal or not, we only know that it can be done.
So, we have considered various disadvantages of business logic.
Trey Ford: the attackers are businessmen. They expect a return on their investment. The more technology, the bigger and more complex the code, the more work you need to do and the more likely you are to get caught. But there are many very advantageous ways to carry out attacks without any effort. Business logic is a gigantic business and there is a huge motivation for criminals to break it. Business logic flaws are a prime target for criminals and are something that cannot be detected by simply running a scan or performing routine QA testing. There is a psychological problem with quality assurance in QA, which is called "confirmation bias" because, like everyone else, we want to know we're right. Therefore, it is necessary to conduct testing in real conditions.
It is necessary to test everything and everything, because not all vulnerabilities can be found at the development stage, by analyzing the code, or even during QA. So you need to go through the entire business process and develop all the measures to protect it. Much can be learned from history because some types of attacks are repeated over time. If you get woken up one night due to peak CPU usage, then you can assume that some hacker is trying to track down valid discount coupons again. The real way to recognize the type of attack is to observe an active attack, because recognizing it based on the log history will be an extremely difficult task.
Jeremy Grossman: So here's what we learned today.
Solving captchas can bring you four figures in dollars. Manipulations with online payment systems will bring a five-figure profit to the hacker. Hacking banks can earn you more than five figures, especially if you do it more than once.
E-commerce scams will give you six figures, and using affiliate networks will give you 5-6 figures or even seven figures. If you are brave enough, you can try to fool the stock market and get more than a seven-figure profit. And using the RSnake method in competitions for the best chihuahua is priceless!
The new slides for this presentation were probably not included on the CD, so you can download them later from my blog page. There's an OPSEC conference coming up in September that I'm going to attend, and I think we'll be able to do some really cool stuff with them. And now, if you have any questions, we are ready to answer them.
Some ads 🙂
Thank you for staying with us. Do you like our articles? Want to see more interesting content? Support us by placing an order or recommending to friends, , 30% discount for Habr users on a unique analogue of entry-level servers, which was invented by us for you: (available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).
Dell R730xd 2 times cheaper? Only here in the Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - from $99! Read about
Source: habr.com