March 4, 2005 - (HOSTSEARCH.COM) - As internet e-commerce and technology evolve, new security and business challenges arise every day. HostSearch examines 3 of the latest challenges for online businesses today; click fraud, “phishing/pharming” and Google hacking.
When I started my first job at an internet company my boss explained to me one way the company made money by advertising. He told me, “Our clients pay to advertise on our site and we receive money when some one visits the site and clicks on an ad.”
I clicked an ad, “You mean like that?” I asked.
“Yes, you just made $3 for the company but don’t do that.”
Click fraud is when the ad clicking is purposeful with the intent to cost business rivals money or knock them out of ad rotation by surpassing the maximum amount of money the business has set for its ad budget on a site.
Click fraud protection services have claimed that up to 50% of ad clicks may be click fraud although in actuality the number may be significantly lower no one knows for sure.
Even if the money is refunded by Google or Yahoo after the data has been analyzed for fraud it still costs the advertiser their ad space for the time they were knocked out of rotation.
It’s even been reported that in countries like India and China that impoverished workers are paid a pittance to spend the day clicking on ads. It may cost $100 a month to employee a ‘clicker’ but it may cost $20 a click to a victim of the attack. There are also scripted click fraud attacks although these are typically easier to detect.
Companies can protect themselves to some extent by looking for suspicious patterns of repetition such as clicks coming from the same IP address, a surge in clicks coming from a small set of search words or an increase in click throughs without any increase in business.
Google and other search engines offer varying policies on reimbursement.
Phishing has been around for quite some time. Criminals attempt to sucker an innocent victim into revealing their personal information by sending a faked email from the bank, the FBI, IRS, requesting information or perhaps even an email telling you you’ve won the lottery and all you’ve got to do is send you bank account number and mother’s maiden name to claim your $100 million dollars.
The most egregious phishing attack to succeed recently was the ChoicePoint data scam. A criminal group posing as an insurance company paid for and received data on over 500,000 individuals and thus far nearly 1,000 have been the victims of identity fraud. ChoicePoint began in 1997 as a company that sold credit data to the insurance industry. But over the next seven years, it became an all-purpose commercial source of personal information about Americans, with billions of details about their homes, cars, relatives, criminal records and other aspects of their lives.
These kinds of attacks have given rise to a new form of scam, pharming. Instead of trying to get people to ‘take the bait’ as in a phishing attack criminals are now using domain spoofing or ‘pharming’ to gain personal information such as credit card numbers or name, address, etc.
Hackers spoof a domain or recreate a website with a fake by a number of means. Criminals can try to change the records of a DNS server which is like a traffic router for the internet and change the address number for PayPal.com say to the criminal’s server with a PayPal look-a-like waiting for unsuspecting users who’ve been redirected.
The FireFox browser was recently exploited when hackers used letters from foreign languages that look like English in combination with English letters to form familiar looking URLs. Secunia was one of the first to report this attack style and posted a test on their website that redirects users who are vulnerable to a webpage on their site with a URL that says PayPal.com.
Another way hackers could accomplish this is through domain hijacking. Panix.com was recently involved in a scam where their domain was transferred to another IP without their knowledge or consent because of a lack of proper authentication on the part of the domain registrar.
The most surprising form of hacking, while it’s not altogether new, is Google hacking. Many hackers begin an attack by searching for information on a target using the highly useful Google.com. Using Google to search for error messages, passwords, and even web cam connections Google hacking can give hackers a foot in the door to an unsecured server. Often times default error messages reveal more information than is appropriate. There are numerous instructional websites for Google hacking. http://johnny.ihackstuff.com/ will let give you Google searches such as: “inurl:password intitle:index-of” or others which allows hackers to connect to live web cams.
In less than 30 minutes I’d logged myself in to a Chinese web site and seen about half a dozen security cameras pointed out at a darkened street from information on this site.
Hackers can even attack web sites that have fixed known errors by using Google’s cached pages.
When hackers establish effective manual means of searching for passwords they can then turn these methods into viruses and worms.
Server admins can work to protect themselves by creating customer error messages, avoiding HTML links in any page on a web server which will attract Google’s web spiders to search the page and to disallow directory listings.
