Anyone with a sharp eye for flawed business logic and a dim view of business ethics can exploit e-commerce Web sites for millions of dollars, security experts told Black Hat attendees.
For instance, one could infer how well a business is doing on the stock market and make appropriate purchases or sales to reap millions, says Jeremiah Grossman, CTO, and Arian Evans, director of operations, at White Hat Security.
Ordering a company's stock online and receiving an order number, then doing the same thing later and comparing the order numbers, which in many cases are sequential, can indicate how much of a company's stock is being traded over that time interval, says Grossman, who with Evans presented "Get Rich or Die Trying - Making Money on the Web the Black Hat Way." Buying or selling based on that can result in big profit, he says.
In addition, White Hat has come across other exploits in its work penetration testing customers' Web sites, Grossman says.
In one instance, an Estonian financial firm managed to crack the URL format used by Business Wire for embargoed press releases that detailed earnings-related data about corporations. The firm used that data before it was public and profited US$8 million before the Securities and Exchange Commission (SEC) caught the activity and halted it.
In a similar case, a Ukranian hacker broke into Thompson Financial for data on a health firm and reaped US$300,000. The SEC froze those funds, but a judge ordered them released to the hacker because the hacker wasn't an insider and therefore couldn't be charged with insider trading. He might have been charged with hacking, but he was in the Ukraine, where official cooperation with prosecution was unlikely, Grossman says.
During his talk Grossman displayed checks for US$132,994.97 and $901,733.84 from Google to people who used cookie stuffing to reap payments for driving traffic to Web sites.
The way it's supposed to work, someone with a Web site includes a link to an affiliated business' page. If a consumer clicks on it, their computer gets a cookie and if they buy something later, that cookie notes what Web site referred the buyer and that site gets a payment.
Scammers have developed elaborate schemes to exploit the system, Grossman says, starting with sites automatically hitting visitors with the marker cookie as soon as they visit the scammer's pages. All visitors get the cookie, not just those that click on the link. If a visitor later happens to buy something from an affiliated site, the scammer gets money.
E-commerce sites got smart and kicked out affiliate networks that made suspiciously high claims, Grossman says, but scammers responded by stuffing cookies from SSL Web pages because the cookies don't reveal what pages they came from.
Online ordering systems can also be a risk to businesses, Grossman warned. Home shopping network QVC was hit for US$412,000 in merchandise by one scammer because of a lag in its online ordering system, he says. Customers could order items online then immediately cancel the order, but the order would be sent anyway.
A North Carolina woman took advantage of this: She ordered and canceled merchandise, then sold it on e-Bay. She was caught only because her customers thought it odd that she was mailing the items in QVC packaging and reported her.
She wasn't prosecuted for selling the goods because they were legally hers, Grossman says. Rather she pleaded guilty to wire fraud, he says.
Other potentially lucrative hacks include:
Guessing the numbers of online discount coupons and buying merchandise with them. One scammer got US$50,000 worth of merchandise and was caught because he entered his new batches of guessed coupon numbers all at once in the middle of the night, causing a suspicious spike in traffic that the merchant noticed. He was prosecuted for mail fraud because items were sent to a non-existent address and a colluding postal worker intercepted them and turned them over to him.
Setting up multiple bank accounts and arranging for transfers among them. Before banks actually make electronic transfers they make a small transfer - cents or a few dollars - just to make sure the real transfer will work. Scammers arrange for large transfers to a central account, then cancel them after the dry run transfer. Enough of those can add up, Grossman says.
Cracking captchas, the distorted numbers and letters that some sites use to verify that a human being, not a machine, is contacting the site. Some captchas use the same number-letter combinations over and over, so automated guessing can work to crack them, says Evans. Some sophisticated optical scanners can read captchas, and there are even overseas businesses that offer to break them for cash.