Anyone with a sharp eye for flawed business logic and a dim view of business ethics can exploit e-commerce websites for millions of dollars, security experts told Black Hat attendees.
It is relatively easy to ascertain how well a business is doing on the stock market and make appropriate purchases or sales to reap millions, according to Jeremiah Grossman, chief technology officer at White Hat Security, and Arian Evans, director of operations.
Ordering a company's stock online and receiving an order number, then doing the same thing later and comparing the order numbers, which in many cases are sequential, can indicate how much of a company's stock is being traded over that time interval, said Grossman, who with Evans presented "Get Rich or Die Trying - Making Money on the web the Black Hat Way." Buying or selling based on that can result in big profit, he said.
In addition, White Hat has come across other exploits in its work penetration testing customers' websites, Grossman said.
In one instance, an Estonian financial firm managed to crack the URL format used by Business Wire for embargoed press releases that detailed earnings-related data about corporations. The firm used that data before it was public and profited $8 million (£4.2 million) before the Securities and Exchange Commission (SEC) caught the activity and halted it.
In a similar case, a Ukranian hacker broke into Thompson Financial for data on a health firm and reaped $300,000 (£156,000). The SEC froze those funds, but a judge ordered them released to the hacker because the hacker was not an insider and therefore couldn't be charged with insider trading. He might have been charged with hacking, but he was in the Ukraine, where official cooperation with prosecution was unlikely, Grossman said.
During his talk Grossman displayed checks for $132,994.97 (£69,148) and $901,733.84 (£468,842) from Google to people who used cookie stuffing to reap payments for driving traffic to websites.
The way it's supposed to work, someone with a website includes a link to an affiliated business' page. If a consumer clicks on it, their computer gets a cookie and if they buy something later, that cookie notes what website referred the buyer and that site gets a payment.
Scammers have developed elaborate schemes to exploit the system, Grossman said, starting with sites automatically hitting visitors with the marker cookie as soon as they visit the scammer's pages. All visitors get the cookie, not just those that click on the link. If a visitor later happens to buy something from an affiliated site, the scammer gets money.
E-commerce sites got smart and kicked out affiliate networks that made suspiciously high claims, Grossman said, but scammers responded by stuffing cookies from SSL web pages because the cookies don't reveal what pages they came from.
Online ordering systems can also be a risk to businesses, Grossman warned. Home shopping network QVC was hit for $412,000 (£214,000) in merchandise by one scammer because of a lag in its online ordering system, he said. Customers could order items online then immediately cancel the order, but the order would be sent anyway.
A North Carolina woman took advantage of this: She ordered and cancelled merchandise, then sold it on eBay. She was caught only because her customers thought it odd that she was mailing the items in QVC packaging and reported her.
She wasn't prosecuted for selling the goods because they were legally hers, Grossman said. Rather she pleaded guilty to wire fraud, he said.
Other potentially lucrative hacks include:
* Guessing the numbers of online discount coupons and buying merchandise with them. One scammer got $50,000 (£26,000) worth of merchandise and was caught because he entered his new batches of guessed coupon numbers all at once in the middle of the night, causing a suspicious spike in traffic that the merchant noticed. He was prosecuted for mail fraud because items were sent to a non-existent address and a colluding postal worker intercepted them and turned them over to him.
* Setting up multiple bank accounts and arranging for transfers among them. Before banks actually make electronic transfers they make a small transfer - cents or a few dollars - just to make sure the real transfer will work. Scammers arrange for large transfers to a central account, then cancel them after the dry run transfer. Enough of those can add up, Grossman said.
* Cracking captchas, the distorted numbers and letters that some sites use to verify that a human being, not a machine, is contacting the site. Some captchas use the same number-letter combinations over and over, so automated guessing can work to crack them, said Evans. Some sophisticated optical scanners can read captchas, and there are even overseas businesses that offer to break them for cash.