Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:30 AM
Connect Directly

Hacking Without Exploits

Black Hat researchers will demonstrate how the bad guys are quietly raking in big bucks without ninja hacking skills, tools, or exploit code

Cybercriminals increasingly are employing no-tech or low-tech techniques for making big money online -- no exploits or sophisticated hacker tools required.

The techniques themselves aren’t new -- some have been around for nearly a decade. But the Web model has made these schemes that capitalize on so-called business logic flaws more lucrative than ever, according to Jeremiah Grossman, one of the researchers who will pull back the covers on these insidious and often transparent methods of attack at Black Hat USA next week in Las Vegas.

Grossman, CTO and founder of WhiteHat Security, says these increasingly popular methods take advantage of weaknesses in online applications or business processes, and could eventually usurp the ubiquitous SQL injection and cross-site scripting (XSS) vulnerabilities as the biggest threats to the Web. “We find these in Websites all the time,” he says. And all it takes to exploit them is a browser, he says.

“In the last five years, cross-site scripting and SQL injection have been the imminent threat,” he says. “But the bad guys are increasingly looking to monetize [the Web], so we’ll see more of these business logic flaws [being exploited] in the next two years. They are way more difficult to detect.”

Intrusion detection systems (IDS) can’t detect them, nor can Web application firewalls block them, he says, so there’s really no way to know for sure just how prevalent these attacks are today. But Grossman and fellow presenter Trey Ford, director of solutions architecture for WhiteHat, will show some real-world attacks, including some data from WhiteHat’s own clients. “What we do know is that large dollar sums are being lost already,” Grossman says. Some bad guys are making up to seven figures a month using these methods of attack, he says.

Among the more popular venues for these attacks are online auctions and affiliate marketing networks, which help sites attract more traffic by sharing a percentage of the sales they drive to one another. These affiliate models can be easily abused to help pad hit numbers as well as to generate commissions, sometimes without even making a sale, according to Grossman.

One hack that Grossman and Ford will show at Black Hat involved a bank customer of WhiteHat’s, which was among 600 small- to medium-sized financial institutions that were vulnerable to a logic flaw in their application-hosting provider’s system. The flaw allowed attackers to steal money from the bank. “The attackers didn’t build [or] host their own Website,” Grossman says. “One particular flaw in the ASP’s [application service provider] system allowed [them] to see and transfer money on any account on the entire system.”

The ASP wasn’t willing to do the complete system redesign it would have taken to shore up the problem once WhiteHat pointed it out. “During one of our tests, we got the [system] to send us a check in the mail for $2, made out to ‘WH Test,’ and we emailed a photo of it to our customer.”

It was discovered that the cybercriminals had stolen money from the bank using the flaw in the ASP’s system and wired over $70,000 to Eastern Europe, Grossman says. He plans to provide details of the ASP’s flaw in his presentation next week.

The researchers also will detail a commonly exploited affiliate marketing arrangement wherein the bad guys rack up big commissions and bonuses each time they get a new customer to just sign up for a Website. Each time an affiliate scores a new customer for an online merchant in this arrangement, they get a $10 acquisition fee, for instance, as long as the customer also provides his or her credit card number. “I made $10 even if you didn’t spend a dime,” explains Grossman.

So how do these scams succeed? “The marketing departments running these programs [that get exploited] see tons of new user registrations; all they are going to see is massive success,” he says. In some cases, it doesn’t behoove them to match the registrations with actual sales, he says.

“The marketing teams needs to have better fraud-monitoring technology and/or work closely with security to limit security design flaws,” he says. "Money is being siphoned out and the security guys are the last to know."

Grossman and Ford will present their research on the silent rise in logic flaw attacks on August 7 at Black Hat. “I was shocked that some of this stuff was still around,” Grossman says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • WhiteHat Security
  • Black Hat Inc. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    US Sets $5 Million Bounty For Russian Hacker Behind Zeus Banking Thefts
    Jai Vijayan, Contributing Writer,  12/5/2019
    4 Tips to Run Fast in the Face of Digital Transformation
    Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: Our Endpoint Protection system is a little outdated... 
    Current Issue
    The Year in Security: 2019
    This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-12-11
    SQL injection vulnerability in DBD::PgPP 0.05 and earlier
    PUBLISHED: 2019-12-11
    includes/libs/IEUrlExtension.php in the MediaWiki API in MediaWiki 1.19.x before 1.19.8, 1.20.x before 1.20.7, and 1.21.x before 1.21.2 does not properly detect extensions when there are an even number of "." (period) characters in a string, which allows remote attackers to conduct cross-s...
    PUBLISHED: 2019-12-11
    Multiple SQL injection vulnerabilities in Zabbix 1.8.x before 1.8.18rc1, 2.0.x before 2.0.9rc1, and 2.1.x before 2.1.7.
    PUBLISHED: 2019-12-11
    Multiple cross-site scripting (XSS) vulnerabilities in products.php in the Cart66 Lite plugin before for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) Product name or (2) Price description fields via a request to wp-admin/admin.php. NOTE: This issue may...
    PUBLISHED: 2019-12-11
    Grandstream GXV3501, GXV3504, GXV3601, GXV3601HD/LL, GXV3611HD/LL, GXV3615W/P, GXV3651FHD, GXV3662HD, GXV3615WP_HD, GXV3500, and possibly other camera models with firmware, have a hardcoded account "!#/" with the same password, which makes it easier for remote attackers to obtain ...