The ancient Chinese military strategy guide The Art of War says that if you want to have a chance of prevailing in battle, you need to know your enemy. It's good advice for the battlefield, and it's also good advice if you want to beat hackers in their constant attempts to take over your network.
But in order to know these hackers you need to understand their motivations, and in many cases those motivations may not be what you expect. That's according to Dan Kaminski, the security expert who discovered a fundamental flaw in the Internet's Domain Name System (DNS) protocol in 2008 and who discovered flaws in the widely used SSL protocol a year later. Kaminski is a frequent speaker at Black Hat Briefings, and now works as Chief Scientist at White Ops, a security firm specializing in detecting bot and malware fraud.
Cashing out compromised machines
"If you are a CIO you must ask why people are breaking in to your network. The answer is to get your data - eventually. But initially it is to defraud advertisers," Kaminsky says. "The major motivator for hackers is to commit click fraud as it provides a way to cash out a compromised machine. Only once they have done that will they look at what else they can do with the machine."
As companies catch on that a given machine is responsible for click fraud, that machine's ability to generate cash for the fraudsters drops dramatically until it has no further use to them. It's at that point that access to the compromised machine will be sold off to someone else to exploit, with servers in large enterprises commanding far higher prices than compromised run-of-the-mill consumer machines.
"There is a whole ecosystem out there," says Kaminski. "One guy finds vulnerabilities, one guy deploys them, and then there are the guys who buy (compromised machines) afterwards and do all kinds of things with them." This, Kaminski says, includes corporate data theft and the full gamut of other crimes.
No obvious victims
That leads to an interesting question about who the victims of click fraud really are, and Kaminski says that it's not immediately obvious. "When you rob a bank, people are angry. But when you rob an advertiser, their numbers are up, so they are happy," he says. Many direct marketers also take the attitude that a certain amount of click fraud is factored into the price that they pay, so they may not be unduly worried or feel they are victims. In fact, on the advertising side very few people get angry, Kaminsky says.
But aside from the advertisers that have been defrauded, the other victims are the CIOs of large companies, says Kaminski. "They are the victims as they are the people whose machines are taken over," he says. "If you are a CIO and your job is to protect the network, click fraud is the cause of a major class of threat that you have to deal with."
Sign up for CIO Asia eNewsletters.