|< Day Day Up >|| |
I have noticed a steady increase in the role hackers play in obtaining e-mail lists for spammers. Often paid big money, these hackers focus on stealing e-mail addresses and personal data. Although you think your credit card has great value, the ironic fact is that your e-mail address and name is worth much more to a spammer.
A new term coined for people who use their hacking skills in the world of spam is spackers. A spacker is a hacker that works for a spammer or a hacker that sends spam (or, I guess, a spammer that can hack). Spackers are a new breed of hackers, focused solely on finding ways to obtain e-mail lists. By either spamming these lists themselves or selling them for direct profit to other spammers, these renegade security “experts” audit scripts and software that Web sites commonly use. Reading the application code line by line, they attempt to find any security flaws or previously undiscovered exploits that could be used to acquire the e-mailing list within. Unlike their white hat counterparts, these black hat wearing hackers do not release their findings publicly; they keep them private, exploiting and profiteering as much as possible.
Not known for being of high moral fiber, black hat hackers are always eager to earn quick money doing what they love. The majority of black hat hackers don’t care about the ethical implications of spam or what effect spam has on the world. Like people in their everyday jobs, they want money for doing something that’s easy, and with spam, money is readily available for those with the skills. Many of them target companies from casinos to drug stores to porn sites, earning anywhere from $500.00 to $5,000.00. The goal is always the same: get the customer database, e-mails, real names, age, addresses, everything possible.
The most common targets for hackers are opt-in lists; an e-mailing list that promises to never sell or give out your e-mail address if you choose to sign up to the offered newsletter. I am sure you have seen Web page’s pleading for your e-mail address like the one shown in Figure 4.1.
Figure 4.1: Opt-in list
Opt-in lists come in two flavors, single and double opt-in. A single opt-in list operates very simply; you submit your e-mail address and you are then on the mailing list. You could submit someone else’s e-mail address or even an invalid e-mail address such as firstname.lastname@example.org; the mailing list has no clue and trusts that you hold this e-mail account.
A double opt-in list requires users to acknowledge that they wish to sign up to the mailing list by first clicking on a link inside the initiation e-mail. This ensures that the e-mail account is valid and a willing recipient of the mailing list content. This extra confirmation greatly increases the worth of the mailing list, as a spammer can be sure that the recipient is genuinely interested in the subject and the e-mail account is valid and accepting e-mail.
Most people see mailing lists as a way to gain new information on a subject they find interesting such as weekly updates or special offers on products. However, spammer’s see it differently. A spammer knows that everyone on this list is interested in one common topic such as weight loss products or pornography, which enables him to put them all in a group and sell them one product. All a spacker has to do is find a flaw in the site, the network, or a script running on the site and use it to obtain that subscriber list. From a large company the spacker can expect anywhere from 50,000 to one million e-mail addresses. In dollar figures, this can range from $100.00 to $10,000.00 worth of revenue after a successful e-mail marketing campaign.
If the spacker is unable to find a product to sell, or if the obscure nature of the product would be too much work for too little pay, he can sell all of the data to another spammer and let them do the work. In fact, there’s a strong likelihood that a hacker has already sold your e-mail address, possibly many times over, without you ever knowing.
Other targets include online stores. You thought your data was safe when that little padlock showed up, right? Guess again. Although your communication to the server may be encrypted, the majority of e-commerce sites simply save your data in plaintext into a large database; easy pickings for a spammer as the data not only contains your name, e-mail address, and real address, but your credit card information. This adds to the value of the data, since now a spammer can sell the credit card data to another party, perhaps someone interested in credit card fraud.
Advertising and data mining companies are also popular targets because they may have data that contains potential customers and the products they are interested in or their past buying habits; data that can be used to sell a product better.
|Notes from the Underground…|| |
A Security Flaw
Approximately five months ago, I became very interested in a newsletter script many large Web sites use. Written in Perl, this script allows interested users to subscribe to a newsletter. The Web site sends an update to all of the parties on the list monthly, telling them of any updates the site might have or any groundbreaking information they should know about. A Google search showed that it exists on over 500 large .com’s. This meant big dollar signs if I could find a way to break the script to get to the mailing list beneath.
After two days of pouring over the code looking for a possible security flaw, I found something. If I passed the script a certain length password when authenticating to the administration section, it bypassed any password checking usually preformed. Due to a flaw in the implemented cryptography routine, the server produced an internal error when comparing passwords. After the error, however, the session was authenticated as administrator, giving full access to all of the subscribed users for each list the server maintains.
I used this exploit to harvest over 20 million e-mail addresses, and, as none of the sites even knew the exploit existed, no one could patch or upgrade the insecure script. I sold some addresses to friends, making a little over $3,000.00. I personally spammed the majority, and managed to raise $7,000.00 from selling targeted products to various lists. To this day the flaw exists, and new Web sites installing even the latest version of the product are vulnerable to my attack. Every month I search the Web looking for new sites and I harvest all available contacts or recently added subscribers.
Hacking for e-mail addresses is a common technique used to get new contacts. The majority of Web sites keep their promise and don’t sell contact details; however, hackers take them without permission and for no cost. It’s common for a spammer to resell e-mail addresses to multiple spammers once they are finished with them, and for those spammers to resell the list once again.
Within a week, at least ten new spammers may have your contact details and thousands of dollars may exchange hands, all for the sake of the equivalent of a digital phone number. So, think carefully before you give anyone your e-mail address, even if they promise to never give out your details.
|< Day Day Up >|| |