Researchers set up adult Web sites to study how the industry makes its money and spreads malware.
A first-of-its-kind analysis of the online porn industry reveals the economics, and the vulnerabilities, of the shady world of online adult media.
If you want to know how the online adult industry works, you must become a part of that industry. That's what five security researchers from The Technical University of Vienna, Eurecom and UC Santa Barbara did in an attempt to get a handle on how the adult industry makes money online. And they found that it's exposing everyone who consumes its wares to previously unsuspected levels of malware.
Peddling Porn in the Name of Science
By setting up their own adult websites, the researchers, who will present their paper at The Ninth Workshop on the Economics of Information Security at Harvard University, discovered that 43% of the clicks that arrived at their own adult website belonged to users whose browsers were vulnerable to a known exploit in either Adobe Flash or handling of the Microsoft Office or Adobe PDF document types.
Lead researcher Gilbert Wondracek and his colleagues spent a total of $160 to acquire 47,000 clicks from sellers of adult traffic, known in the industry as traffic brokers, of which 20,000 could have been exploited to build a botnet, according to the researchers. The researchers discovered that they easily could have leveraged their investment for a hefty profit by serving as the vector for a Pay-Per Install affiliate program, which in one instance offered $130 per 1,000 installs to drop malicious code (malware, adware etc.) onto exploited machines.
To assess how much malicious code is being injected into users' browsers by adult websites, Wondracek et al. custom-built an automated web crawler to download the content of almost a half million URLs spread across thousands of adult websites. Incredibly, 3.23% of those pages "were found to trigger malicious behavior such as code execution, registry changes, or executable downloads," five times the prevalence of malware discovered by previous research on the subject.
In a back of the envelope calculation, multiplying 3.23% by the percentage of internet users who view porn (42.7%) or even just the percentage of men who view porn while at work (20%), by the frequency with which porn is accessed, suggests that internet porn is a major vector for infection of vulnerable machines.
The Peculiar Economics of Online Porn
A likely explanation for the high rates of malware on adult websites is the almost total lack of policing or enforcement by the brokers who move traffic between adult websites. According to Wondracek et al.'s analysis of the economy of online porn sites, 9 out of 10 are "free" sites that host image or video galleries and make money by directing traffic to pay sites or even to one another. This traffic is monetized through traffic brokers - the majority of which do not even visit the sites in their affiliate networks, according to experiments conducted by the researchers.
Unlike online ad placements by Google and affiliate marketing schemes by Amazon, adult sites do not rely on code that resides on the sites sending them traffic that could help verify that traffic is generated by humans and not click bots. As a result, the researchers found that it would potentially be quite easy to defraud not only users, but the traffic brokers and for-pay porn sites that enable the vast ecosystem of free adult media sites. (No users or brokers were actually harmed in the course of this research, which was vetted by the legal department of the Technical University of Vienna.)
The intricacies of the elaborate system of traffic arbitrage that have grown up around the world of porn traffic direction on the web are way beyond the scope of this blog post, but it's possible that the rest of the media world could learn a thing or two from the way that for-pay adult sites have created a seething ecosystem of traffic affiliates constantly skimming clicks and pennies off of one another.
On the other hand, it's just as likely that these techniques wouldn't work for traditional media, because users don't appear to be as motivated to read news as to find porn. How else can we explain the fact that in the course of the experiment, users clicked many times on single links that were randomly directing them to anything but the media they were apparently after - a practice widespread among free porn sites?
Fake ID cards
A PACK of photo paper, laminating sheets, spray glue: it sounds like a list of things you need for the school art class. In fact they are ingredients for a fake identity card. Add a dash of Photoshop expertise, and you can earn yourself £1,000 (about $1,500) a week, according to a former vendor, a privately educated British schoolboy, who used to sell fake cards at £25 a time to his classmates.
The trade is even more profitable in America. Because the legal drinking age is 21, demand is higher and buyers are richer. An ex-student says he was able to sell bogus IDs for $120 each. Whereas he found holograms and bar codes on American driving licences easy to forge, he failed to copy the magnetic strips. Unwisely, perhaps, some American states are now phasing out licences with magnetic strips in favour of cheaper ones with bar codes.
The business of forged identity cards is booming, particularly in the Anglosphere. A study in 2009 of American university students found that 17% of freshmen and 32% of seniors owned a false ID. Today the numbers are even higher, experts reckon. Bars near American campuses have started to ask for two kinds of identification.
The use of fake IDs is spreading around the world. China has no great taboo against under-age drinking, so bar owners seldom check. But getting into an internet cafe is more difficult. One well-known place to get a card is the east gate of Renmin University in Beijing. Merchants there report that they can make 100,000 yuan ($16,000) a year.
Fake IDs used to be easy to detect, at least by experts, says Geoff Slagle of the American Association of Motor Vehicle Administrators. The main problem, he says, were 'flashpassers': youths who flash their cards at uninterested barmaids, who do nothing but check the photo on the card.
Yet technology has given the fake ID business a boost. With today's software and printers, good fakes are easier to make. Counterfeiters no longer need to produce one document at a time; the latest gear allows for mass-production. And since orders can be taken over the internet, the producers no longer need to be close to their customers.
At the same time, IDs themselves have become more sophisticated. This has driven counterfeiters to invest more and raise prices. A decade ago, a good fake card could be bought for between $35 and $50, according to David Myers, an identity-card expert in Florida. Now people have to be prepared to pay ten times more.
As a result, many ID mills have gone online and are now based in China and other Asian countries, where costs are low and forgers hard to prosecute. A popular site is ID Chief. "We are at it again. Here is the Mississippi license," it touts in its latest offer, which charges $200 for two cards. On August 6th four American senators sent a letter to the Chinese ambassador, asking the country to close down such firms. (Editor's update: ID Chief has since announced that it would close.)
Western countries could do something about the problem themselves. One improvement would be to introduce a standard national ID card, particularly in America. Not only does each state issue its own driving licence, but there are also numerous other official identity cards. Five years ago Mr Myers counted 542. The figure has since grown, he says.
Fighting technology with technology seems most promising - by replacing ID cards with phones. In Britain a new scheme called Touch2id encodes fingerprints and proof of age on a smart sticker that is to be attached to a mobile. To get served, youths need to swipe their phone over a chip-reader and have their fingerprints scanned.
An overseas counterfeiter would have a hard time to trick such a system, says Edgar Whitley of the London School of Economics. Yet it is also pricey: the Touch2id scanners cost £200 each. Without government mandates or cash to pay for installing such devices, fake IDs are here to stay.