Tech Lessons From the Bad Guys

Chris Lindquist writes "Organized crime, porn peddlers, gambling sites — they all use technology to make a killing. CIO.com has posted several stories that spell out how the seedy side uses IT for profit. From the online techniques of penny stock scammers to innovation lessons from a pair of 'accidental pornographers,' to what you can do to fend off cybercriminals, find out what they do right when they're doing wrong."

Wanted: Linux systems administrator.

For those of you wondering about the pr0n stuff.

I was looking for a job and had posted my resume on line (monster.com I think) and got a call from a guy looking for an admin with web server skills. The third or fourth question was if I minded the fact that they would be pr0n servers.

I had to turn them down, and no I don't remember the company name.

So, if you have the right skill and are in a big city market, who knows. You might just get a call.

Here's how it's done

[Opportunist]

Do you know that Western Union doesn't require you to legitimate yourself when withdrawing money if it's not more than (IIRC) 6k bucks? So all you gotta do is find some gullible moron, who'll "work" for your "international financing company" by offering you his account for a transfer. You have your target transfer the money to this moron's account and have him transfer the money via WU, and inform you about the transfer code. He can keep, say, 20% of the stolen money, and hey, who'd turn that offer down, about 1k bucks for 2 hours work? Almost too good to be real!

Then you (or if you're a larger organisation, one of your goons) goes to WU, hands in the transfer code and heads out with the money.

Of course the "financial agent" gets caught. But that's no loss, you know, there's an idiot born every minute, you'll find others.

Re:Accidental pornographers?

[twistedsymphony]

It was very interesting, while I knew that the porn industry was fairly in-tune with technology the article left me with the impression that they drive tech advances more then we realize... The one bit on open source software really caught my eye:

Another red light best practice is to look for vendors that use open source. Since sites are open 24/7 (late-night hours are extremely profitable on the red light Web), "if we ever run into critical issues we need them solved now, not two hours from now," says Bodog's Ayre, who has learned that if he wants his people to be able to fix something, they need to have access to the source code. "We absolutely could not get a couple of our vendors to address an issue that was crippling us," says Ayre. "Under peak loads, the entire site became nonresponsive. We had no choice but to decompile the systems in question and fix the problem ourselves. This was probably one of the biggest drivers pushing us to adopt open-source solutions for our most critical systems."

Probably one of the best arguments for a corporate adoption of open source software I've ever heard. I know, at least at my company, we're in constant struggle with our software vendors to fix bugs that are critical to us but maybe not critical to their other clients. This is particularly frustrating when we have the knowledge necessary to fix the problem ourselves... just no access to the source.

An extra thought

[Moraelin]

Exactly. Reading the summary left me scratching my head too. You've nailed the moral judgment excellently already, so I won't repeat that.

But I'll add another thought there: regardless of the moral judgment, exactly what is to learn from porn or gambling sites anyway?

No, seriously. Spammers, scammers, DDOS extortionists, etc, actually face some technical challenges. They need zero day exploits to maintain their army of zombie machines. They need to circumvent or disable protections. (See the many viruses or trojans that disable the major antiviruses and firewalls.) They need to dodge the law, at _least_ in that they need to transfer the ill gotten money abroad without leaving _too_ many obvious traces. Etc.

Those are real technical challenges. Antiviruses for example are getting so defensive against being disabled, that it's sometimes hard to fully uninstall them even as the legit owner of the machine.

You can learn something from that, and (in response to other posts) there _are_ legitimate uses for that knowledge too. E.g., whatever techniques they use to automate looking for buffer overflows, should be mandatory testing techniques for new software.

But porn and gambling sites? Gimme a break. I dare say most of the porn sites are actually just a plain old normal web site. There's nothing particularly high-tech about them, really. Just some thumbnails linking to a video or larger picture. In really "high tech" cases, they might open a popup via javascript for the page with the embedded movie. But that's about it.

Exactly what's to learn there.

Sure, a number of sites use porn as a bait to get one virused. But even then it helps to realize that that's not primarily a porn site, it's primarily a script-kiddie site and the porn is just the bait there. Just because the porn is the bait, doesn't make porn itself some high-tech black-hat thing.

To use a metaphor, there have been cases where people have been lured in a RL (non-internet, back-of-the-van kind) scam with such promises as a cheap second-hand laptop or whatever other cheap no-questions-asked good. Yet that doesn't make laptops themselves some evil bad-guy kind of scam. It's just the bait, the scam is a completely different half of that incident.