Exploiting Web business Web logic: I can’t hack it, but can I steal it?

At last, I thought, cybercrime for the rest of us. After seven years of infosec journalism I have just enough knowledge to ask reasonably intelligent questions, most of the time. But I’m no closer to having the technical chops for even the most idiot-proof Web attack.

So, I had a more-than-professional interest to sit in on “Get Rich or Die Trying: Making Money on the Web the Black Hat Way at Black Hat.” With one kid starting college and another trailing an ain’t-that-just-too-perfect four years later — and the epiphany that the $5 blackjack tables was not the answer — here was Web crime even I could grasp, except for some aching ethical considerations.

There’s a lot of business logic out on the Web, said WhiteHat Security Inc.’s Jeremiah Grossman and Trey Ford, that can be exploited for big bucks with nary a cross-site scripting attack nor a SQL injection. All that’s required is the will, maybe some working capital, a grayish ethical worldview, and some good old-fashioned name-your-nationality know-how.

Information leakage, insufficient authentication and authorization, and abuse of the website’s functionality are prime money-makers, along with the technical hacks we all know and love.

The money-making schemes run from low-yield CAPTCHA solving, to trading on information obtained by picking unpublished press releases off business sites, to disturbingly easy harvesting of Web mail passwords off e-commerce sites, to bending the rules to apply hundreds of e-coupons for extremely cheap large purchases.

Or, taking advantage of a flaw in functionality to get merchandise for nothing. This one was near and dear to my heart. Something you get even though you don’t order it — say, you shut down an order while it’s still processing, but UPS shows up with the goods 3-5 business days later nevertheless.

When I was a kid, I collected stamps. I ordered five Egyptian mint stamps on approval, which means I send them back if I don’t buy. They sent me more than a hundred assorted stamps on approval and I kept them all.

The U.S. Securities and Exchange Commission (SEC) says unsolicited merchandise is yours to keep, but it’s one thing to profit by a mistake — though things get murkier if you repeat the process to exploit the glitch for profit.

That’s the extent of how far I’ll bend my ethics though, so the e-tailer world is safe from me still, and the college bills are still coming.

But the message here is there are many ways to rip off online businesses, some very technical, some not so much, some clearly illegal, some sort of, maybe. In any case, your company’s money is good as gone.