Business hacks reap money from e-commerce sites

How e-commerce sites get ripped off for millions of dollars.

Anyone with a sharp eye for flawed business logic and a dim view of business ethics can exploit e-commerce Web sites for millions of dollars, security experts told Black Hat attendees.

For instance, one could infer how well a business is doing on the stock market and make appropriate purchases or sales to reap millions, says Jeremiah Grossman, CTO, and Arian Evans, director of operations, at White Hat Security.

Ordering a company's stock online and receiving an order number, then doing the same thing later and comparing the order numbers, which in many cases are sequential, can indicate how much of a company's stock is being traded over that time interval, says Grossman, who with Evans presented "Get Rich or Die Trying - Making Money on the Web the Black Hat Way." Buying or selling based on that can result in big profit, he says.

In addition, White Hat has come across other exploits in its work penetration testing customers' Web sites, Grossman says.

In one instance, an Estonian financial firm managed to crack the URL format used by Business Wire for embargoed press releases that detailed earnings-related data about corporations. The firm used that data before it was public and profited US$8 million before the Securities and Exchange Commission (SEC) caught the activity and halted it.

In a similar case, a Ukranian hacker broke into Thompson Financial for data on a health firm and reaped US$300,000. The SEC froze those funds, but a judge ordered them released to the hacker because the hacker wasn't an insider and therefore couldn't be charged with insider trading. He might have been charged with hacking, but he was in the Ukraine, where official cooperation with prosecution was unlikely, Grossman says.

During his talk Grossman displayed checks for US$132,994.97 and $901,733.84 from Google to people who used cookie stuffing to reap payments for driving traffic to Web sites.

The way it's supposed to work, someone with a Web site includes a link to an affiliated business' page. If a consumer clicks on it, their computer gets a cookie and if they buy something later, that cookie notes what Web site referred the buyer and that site gets a payment.

Scammers have developed elaborate schemes to exploit the system, Grossman says, starting with sites automatically hitting visitors with the marker cookie as soon as they visit the scammer's pages. All visitors get the cookie, not just those that click on the link. If a visitor later happens to buy something from an affiliated site, the scammer gets money.

E-commerce sites got smart and kicked out affiliate networks that made suspiciously high claims, Grossman says, but scammers responded by stuffing cookies from SSL Web pages because the cookies don't reveal what pages they came from.

Online ordering systems can also be a risk to businesses, Grossman warned. Home shopping network QVC was hit for US$412,000 in merchandise by one scammer because of a lag in its online ordering system, he says. Customers could order items online then immediately cancel the order, but the order would be sent anyway.

A North Carolina woman took advantage of this: She ordered and canceled merchandise, then sold it on e-Bay. She was caught only because her customers thought it odd that she was mailing the items in QVC packaging and reported her.

She wasn't prosecuted for selling the goods because they were legally hers, Grossman says. Rather she pleaded guilty to wire fraud, he says.

Other potentially lucrative hacks include:

Guessing the numbers of online discount coupons and buying merchandise with them. One scammer got US$50,000 worth of merchandise and was caught because he entered his new batches of guessed coupon numbers all at once in the middle of the night, causing a suspicious spike in traffic that the merchant noticed. He was prosecuted for mail fraud because items were sent to a non-existent address and a colluding postal worker intercepted them and turned them over to him.

Setting up multiple bank accounts and arranging for transfers among them. Before banks actually make electronic transfers they make a small transfer - cents or a few dollars - just to make sure the real transfer will work. Scammers arrange for large transfers to a central account, then cancel them after the dry run transfer. Enough of those can add up, Grossman says.

Cracking captchas, the distorted numbers and letters that some sites use to verify that a human being, not a machine, is contacting the site. Some captchas use the same number-letter combinations over and over, so automated guessing can work to crack them, says Evans. Some sophisticated optical scanners can read captchas, and there are even overseas businesses that offer to break them for cash.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World
Show Comments


James Cook University - Master of Data Science Online Course

Learn more >


Victorinox Werks Professional Executive 17 Laptop Case

Learn more >



Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?