Cybercriminals increasingly are employing no-tech or low-tech techniques for making big money online -- no exploits or sophisticated hacker tools required.
Grossman, CTO and founder of WhiteHat Security, says these increasingly popular methods take advantage of weaknesses in online applications or business processes, and could eventually usurp the ubiquitous SQL injection and cross-site scripting (XSS) vulnerabilities as the biggest threats to the Web. We find these in Websites all the time, he says. And all it takes to exploit them is a browser, he says.
In the last five years, cross-site scripting and SQL injection have been the imminent threat, he says. But the bad guys are increasingly looking to monetize [the Web], so well see more of these business logic flaws [being exploited] in the next two years. They are way more difficult to detect.
Among the more popular venues for these attacks are online auctions and affiliate marketing networks, which help sites attract more traffic by sharing a percentage of the sales they drive to one another. These affiliate models can be easily abused to help pad hit numbers as well as to generate commissions, sometimes without even making a sale, according to Grossman.
One hack that Grossman and Ford will show at Black Hat involved a bank customer of WhiteHats, which was among 600 small- to medium-sized financial institutions that were vulnerable to a logic flaw in their application-hosting providers system. The flaw allowed attackers to steal money from the bank. The attackers didnt build [or] host their own Website, Grossman says. One particular flaw in the ASPs [application service provider] system allowed [them] to see and transfer money on any account on the entire system.
The ASP wasnt willing to do the complete system redesign it would have taken to shore up the problem once WhiteHat pointed it out. During one of our tests, we got the [system] to send us a check in the mail for $2, made out to WH Test, and we emailed a photo of it to our customer.
It was discovered that the cybercriminals had stolen money from the bank using the flaw in the ASPs system and wired over $70,000 to Eastern Europe, Grossman says. He plans to provide details of the ASPs flaw in his presentation next week.
The researchers also will detail a commonly exploited affiliate marketing arrangement wherein the bad guys rack up big commissions and bonuses each time they get a new customer to just sign up for a Website. Each time an affiliate scores a new customer for an online merchant in this arrangement, they get a $10 acquisition fee, for instance, as long as the customer also provides his or her credit card number. I made $10 even if you didnt spend a dime, explains Grossman.
So how do these scams succeed? The marketing departments running these programs [that get exploited] see tons of new user registrations; all they are going to see is massive success, he says. In some cases, it doesnt behoove them to match the registrations with actual sales, he says.
The marketing teams needs to have better fraud-monitoring technology and/or work closely with security to limit security design flaws, he says. "Money is being siphoned out and the security guys are the last to know."
Grossman and Ford will present their research on the silent rise in logic flaw attacks on August 7 at Black Hat. I was shocked that some of this stuff was still around, Grossman says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.