Thursday, 6 May 2010

Online porn - economics, security, cybercrime

Researchers ran adult web sites to study security flaws, economics of the porn industry and "potential points of interest for cybercriminals", the resulting paper being Is the Internet for Porn? An Insight Into the Online Adult Industry by Gilbert Wondracek, Thorsten Holz, Christian Platzer, Engin Kirda, and Christopher Kruegel.

The paper provides "a detailed overview of the individual actors and roles within the online adult industry. This enables us to better understand the mechanisms with which visitors are redirected between the individual parties and how money flows between them".

It also looks at "security aspects of more than 250,000 adult pages and… the prevalence of drive-by download attacks. In addition, we present domain-specific security threats such as disguised traffic redirection techniques, and survey the hosting infrastructure of adult sites."

The paper said, "By operating two adult web sites, we obtain a deeper understanding of the related abuse potential. We participate in adult traffic trading, and provide a detailed discussion of this unique aspect of adult web sites, including insights into the economical implications, and possible attack vectors that a malicious site operator could leverage. Furthermore, we experimentally show that a malicious site operator could benefit from domain-specific business practices that facilitate clickfraud and mass exploitation."

Their findings (emphasis added) -

"We analyzed the economic structure of this industry, and found that apart from the expected “core business” of adult sites, more shady business models exist in parallel. Our evaluation shows that many adult web sites try to mislead and manipulate their visitors, with the intent of generating revenue. To this end, a wide range of questionable techniques are employed, and openly offered as business-to-business services. The tricks that these web sites employ range from simple obfuscation techniques such as relatively harmless blind links, over convenience services for typo-squatters, to sophisticated redirector chains that are used for traffic trading. Additionally, the used techniques have the potential to be exploited in more harmful ways, for example by facilitating CSRF [cross site request forgery] attacks or click-fraud.

By becoming adult web site operators ourselves, we gained additional insights on unique security aspects in this domain. For example, we discovered that a malicious operator could infect more than 20,000 with a minimal investment of about $160. We conclude that many participants of this industry have business models that are based on very questionable practices that could very well be abused for malicious activities and conducting cyber-crime. In fact, we found evidence that this kind of abuse is already happening in the wild."

No doubt there will be many more researchers now wanting to conduct similar "realistic experiments" with online pornography sites as "the only way to reliably estimate success rates of attacks in the real-world"!

(Also - file sharing software can be used to trawl for private health and other info.)

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.