Category Archives: hacking

Anatomy of a scam

A new report from Microsoft (didn’t know they did these kinds of interesting reports) and UC Davis outlines the ways in which web spammers are operationally organized (NYT had a review on the report as well). Its an interesting albeit a somewhat dense read…I have summarized the main points from the report in the pictures below:

scam.png

This chart talks about the basic structure of the scam…But the chart below (taken from the report) brings out some astonishing things about how well organized it all is. More then 80% of all these click-thrus are funneled through two of IP ranges apparently owned by the domain owners. Another surprising thing about it the appearance of a number of familiar brands like Shopping.com, Looksmart, Orbitz etc. at different stages of the money chain. Also the report points to BlogSpot and a few other popular web hosts which are very popular with the spammers…Apparently 75% of the BlogSpots that show up in the search results are because of the spammers. This is a serious issue which Google should do something about (makes you kinda scratch your head as to why Google doesn’t do anything about it, could it be the AdSense money they get???)

structure.png

The fact that the whole thing is so organized means that it should be easy to go after for search companies…Doing this will rid the Internet of a lot of crappy content and thereby improve the browsing experience and CPMs for everybody else.

( Yi-Min Wang of Microsoft – Pic via NYT)

See some of screenshots related to the analysis in the report here.

eBay ratings booster

I came across this fascinating piece on Auctionbyte, about how some users are gaming the eBay rating system.

Many eBay users are familiar with sellers who use a low-price/high-shipping strategy to manipulate eBay search results. But less well known is the technique of listing 1-cent eBooks with zero shipping charges. In fact, it would appear at first glance to be a money-losing strategy, since eBay charges a minimum 5-cent listing fee for Stores (and 20 cents for core listings). But sellers employing the strategy offer multiple quantities of the items in each listing.

While sellers legitimately sell digital content on eBay, many of the 1-cent eBook, no-shipping Store listings AuctionBytes examined looked suspect, including the possibility that sellers are in effect creating “feedback farms” – creating multiple User IDs that bid on these listings to quickly build up positive feedback ratings.

One such listing posted on September 20 netted the seller close to 1,000 feedback points in a 4-day period. The item for sale was a 1-cent/no shipping eBook that promised in the headline to make sellers $100/day by selling on eBay. By the evening of September 24, there were 9012 of these eBooks still available for sale through this one listing. (The listing contained photos of scantily clad women for no obvious reason.)

One UK website owner is apparently well aware of the penny eBook strategy and created a page to help users quickly overcome the restrictions eBay places on new accounts. “I know what it’s like when you have just opened your ebay account and have restrictions in place such as not being able to list “buy it now” auctions. To help with this problem I put together this short helper page which will get you 10 positive feedbacks within 100 seconds” (http://www.tradedemon.net/10EbayFeedbacks.php). The page includes links to active penny listings on eBay with instructions to buy 10 1-penny eBooks and leave positive feedback for the seller. “By the time you finish all 10, your feedback should be on 10.”

The article also talks about the struggle between the eBay policy enforcers and people trying to make a buck. Now, I don’t recommend that you do any of the things mentioned in the article, but check it out…Its an interesting case study on how it really hard for a horizontal e-business like eBay, to work effectively in the long tail economy.

Attack of the Bots

Check out the great article in the wired magazine, regarding the power and menace of the bots and their controllers:

AT FIRST, IT LOOKED LIKE typical network congestion. So the system administrators weren’t too concerned when TypePad blogs and LiveJournal social networks flickered like a light bulb in a faulty socket. But 15 minutes later, at 4 pm on May 2, 2006, the sites went dark, and so did the mood at Six Apart, the company that owns them. In the blink of an eye, 10 million blogs and online communities disappeared. “It looked like the servers had freaked out,” CEO Barak Berkowitz recalls. Flash floods of data thundered into one network port, stopped inexplicably, then reappeared to overwhelm another. The engineers pored over logs, desperately looking for a cause. After an agonizing hunt, they found it: a distributed denial-of-service attack, or DDoS. Six Apart’s servers had been inundated with so many requests that the machines couldn’t possibly process them all. It was the digital equivalent of filling a fish tank with a fire hose.

“After learning about bots, you might think, ‘I feel hopelessly outgunned and outmatched,'” says Peter Tippett, CTO of security consultancy Cybertrust. “You are.”

Its a fascinating look into how paid organized attacks are used to extract money or even shut down companies…It is still wild wild west in some areas of the Internet and without the limitations of the geography, its hard to see how we will be able to get a handle on these issues. This is going to be a big challenge.