mirror of https://github.com/fdiskyou/Zines.git
419 lines
20 KiB
Plaintext
419 lines
20 KiB
Plaintext
Wars Within
|
|
9/2006
|
|
Orlando Padilla
|
|
xbud@g0thead.com
|
|
|
|
|
|
1) Foreword
|
|
|
|
Abstract: In this paper I will uncover the information exchange of what
|
|
may be classified as one of the highest money making schemes coordinated
|
|
by 'organized crime'. I will elaborate on information gathered from a
|
|
third party individual directly involved in all aspects of the scheme at
|
|
play. I will provide a detailed explanation of this market's origin,
|
|
followed by a brief description of some of the actions strategically
|
|
performed by these individuals in order to ensure their success.
|
|
Finally, I will elaborate on real world examples of how a single person
|
|
can be labeled a spammer, malware author, cracker, and an entrepreneur
|
|
gone thief. For the purposes of avoiding any legal matters, and
|
|
unwanted media, I will refrain from mentioning the names of any
|
|
individuals and corporations who are involved in the schemes described
|
|
in this paper.
|
|
|
|
Disclaimer: This document is written with an educational interest and I
|
|
cannot be held liable for any outcome of the information released.
|
|
|
|
Thanks: vax, Shannon and Katelynn
|
|
|
|
|
|
2) Introduction
|
|
|
|
It is inherently obvious to anyone who owns a computer that the Internet
|
|
has changed the world around us in a significant number of ways. From
|
|
an uncountable number of careers to a world-wide open market, it
|
|
drastically affected everything around us. Don't worry though, I will
|
|
not bore you with another ``The future will look like this ... ''
|
|
article. For that, I will refer to you a great book by Michio Kaku
|
|
called Visions that is remarkably accurate considering it was written in
|
|
the mid 90's. But anyway, why am I restating the obvious? To allow
|
|
myself to focus on one not so obvious division of an existing market
|
|
developed by a corporation that had previously filed for bankruptcy. I
|
|
will elaborate on how it "innovated" one particular market and how that
|
|
change resulted in a ripple of disaster and greed. The market is real
|
|
estate and my focus is on mortgage leads
|
|
|
|
The idea of finding, selling and stealing leads is anything but new, in
|
|
fact Hollywood made a movie based entirely on the importance of sales
|
|
leads titled 'Boiler Room' starring Giovanni Ribisi, Ben Affleck and Vin
|
|
Diesel . The movie illustrates a perfect example of the significance of
|
|
even one major lead.
|
|
|
|
I will begin by explaining what mortgage leads are, why they are worth
|
|
writing a paper about and how certain individuals have made millions off
|
|
of them. I will then discuss the roles of the connected individuals and
|
|
how they continue to work when trust is the single point of failure. My
|
|
decision to write this article is nothing more than informational, I
|
|
have no intentions of ruining the lives of the people who make a living
|
|
from what I am about to discuss. In fact, it is to my knowledge not
|
|
much of a secret at all but I found it fascinating and wish to share my
|
|
experiences with anyone willing to listen.
|
|
|
|
|
|
3) Guidance
|
|
|
|
As I was growing up, my parents discouraged me from working while
|
|
attending school. They made a genuine attempt to provide for me the
|
|
support that I needed so that I could focus exclusively on my academics.
|
|
Their reasoning for this was simple - Once you start making money,
|
|
you'll forget what is important in life and will simply want to follow
|
|
this path. As you read through this paper, ask yourself how true this
|
|
actually is.
|
|
|
|
|
|
Financial gain drives every market around the world, and quite honestly
|
|
there are very few things the world as a whole has not yet done for
|
|
money. To quantify what my parents' believe, I will describe how the
|
|
lives of the people involved vary from the lives they once lived, and
|
|
from the lives of a person working a nine-to-five job.
|
|
|
|
|
|
4) The Entity
|
|
|
|
Mortgage leads, referred to as leads from this point on, are nothing
|
|
more than a selective set of criteria consisting of the following:
|
|
|
|
|
|
First Name
|
|
Last Name
|
|
Phone
|
|
City
|
|
State
|
|
Zip
|
|
Email
|
|
Loan Type
|
|
Loan Amount
|
|
Affiliate ID
|
|
Domain Ref.
|
|
Date
|
|
|
|
|
|
Each lead must contain at least the above criteria with the exception of
|
|
perhaps Affiliate ID and Domain Reference to be worth anything to a
|
|
buyer. Furthermore, the more reliable a set of leads is, the more it is
|
|
worth to a buyer. A buyer? You ask. Well, financing firms are
|
|
indirectly involved in this scheme; finance firms take the information
|
|
you sold to them, and follow up with the people allegedly interested in
|
|
buying, refinancing or applying for a home loan.
|
|
|
|
|
|
4.1) Background
|
|
|
|
To fully understand who is selling the collected information and to
|
|
elaborate on who is buying the information listed above, I'll introduce
|
|
hypothetical Corporation A to play the role of the real company. Corp.
|
|
A is a mortgage firm on the fall, not only are they on the verge of
|
|
closing shop but they have already filed for Chapter 11 bankruptcy and
|
|
are out of viable options for recovery. As a last resort they decide to
|
|
offer money in exchange for possible loan application candidate leads.
|
|
This quickly gained momentum as the Internet was a prime place for
|
|
accumulating such information. The plan eventually imploded, but before
|
|
diving into what the outcome was, I'll elaborate on how this truly
|
|
became its own market.
|
|
|
|
|
|
4.2) Numbers
|
|
|
|
Initially each collector averaged about 200 leads per sale which drove
|
|
just enough profits to keep the company afloat. The term collector in
|
|
this paper in its loosest sense is a name given to an individual who
|
|
collects mortgage leads for the purpose of attaining a profit. A lead
|
|
was first bought at a flat rate of 10 US dollars which at an average of
|
|
200 per sale the profit for the collector was a comfortable 2,000 US
|
|
dollars. On the flip side of things, Corp. A was successfully
|
|
conducting business averaging about 10 sales for every 100 leads they
|
|
bought. With these numbers consistently coming through Corp. A made a
|
|
profit of about 10,000 US dollars for every successful sale. A little
|
|
math illustrates the return on investment ratio:
|
|
|
|
|
|
Investment: 200 x 10 = 2000
|
|
Average Profit: 10,000 x 20 = 200,000
|
|
Return on Investment: 200,000 - 2,000 = 198,000
|
|
|
|
|
|
Based on the collection of an insignificant amount of information,
|
|
collectors aggressively innovated their collections methods. I will
|
|
elaborate on what I mean shortly. For now, I will focus on what happened
|
|
immediately after.
|
|
|
|
New collection methods drove the lead delivery out of control and soon
|
|
Corp. A was inundated with so many leads that they had to start turning
|
|
them down until they figured out how to process the volume. In order to
|
|
handle the number of leads they were now attaining, they decided to
|
|
partner with smaller companies and sell them the overflow. Corp. A was
|
|
now growing exponentially fast, and in a period of roughly five to six
|
|
years, this simple idea drove Corp. A from bankruptcy to a multi-billion
|
|
dollar corporation. It is actually rumored that at one point in time
|
|
this company consumed 100 of the mortgage leads ever processed in the
|
|
United States.
|
|
|
|
People and greed do not mix very well, and as I mentioned, earlier
|
|
collectors and partners wanted more money, so soon other companies began
|
|
buying leads from collectors too. I argue that at the time the mortgage
|
|
industry was large enough for everyone to profit nicely from it, however
|
|
greedy collectors began selling bogus or non-exclusive leads. This
|
|
forced mortgage firms to develop a loose classification model for
|
|
grading the quality of a lead as an addition to the classification of
|
|
the leads themselves.
|
|
|
|
- Exclusive
|
|
|
|
An exclusive lead is one that is sold only to one mortgage firm and never again
|
|
redistributed. The value of these leads was often higher than non-exclusive, or
|
|
as they decided to term them, semi-exclusive leads.
|
|
|
|
- Semi-Exclusive
|
|
|
|
Yes, semi-exclusive. I honestly cannot define this, as this is an
|
|
oxymoron itself, but someone somewhere. An individual who
|
|
wishes to stay anonymous informed me of terms commonly used.
|
|
decided to call non-exclusive leads semi-exclusive to allow them to
|
|
be resold. It's a nice euphemism, though.
|
|
|
|
|
|
Grade | Description
|
|
--------+-------------
|
|
Green | Confirmed Valid Lead
|
|
Yellow | Characteristics of a bad lead but enough good to buy
|
|
Red | Confirmed Invalid Lead
|
|
|
|
The reliability of a bulk set is assessed by the person buying them at
|
|
the time of sale. The person interested in buying the leads takes a
|
|
random set from the bulk he is receiving and personally verifies their
|
|
validity. A rating is then given depending on the number of missed
|
|
leads he finds. The grading is different with every person you deal
|
|
with, but in short a lead is only Green if validated. A validated lead
|
|
is one that is confirmed through the person who's information was sold
|
|
to begin with (The loan application candidate) goes through.. A yellow
|
|
lead is a lead with all information accurate but the candidate was
|
|
either not home or for some reason was not available. Last, a red lead
|
|
is a confirmed invalid or bogus lead. A number of things can give away
|
|
a bad lead, for example Zip code and State not matching, or the name
|
|
given is John Doe and the address contains Elm Street are probably
|
|
indications of a bad lead.
|
|
|
|
|
|
5) The War
|
|
|
|
Now that I have indulged you with the whereabouts and importance of a
|
|
lead, I will discuss how they are obtained. I mentioned above how far an
|
|
individual would go as a result of greed? Below I describe their
|
|
actions, which outlines their (at times) unethical behavior and
|
|
persistence to attain more of the goods.
|
|
|
|
|
|
5.1) Self Indulgence
|
|
|
|
When the collector decides to go a straight route (in terms of their
|
|
industry), they can invest some time and money into setting up an
|
|
infrastructure to lure potential clients to their web site. They first
|
|
need to build a site that resembles a loan agency that allows visitors
|
|
to send their applications to them. Once the collector has a website
|
|
saving information to a database, he now hires mailers or spammers to
|
|
advertise his website. The average return on spam has been extremely
|
|
dynamic, and with more advanced filtering mechanisms in place, all a
|
|
spammer can hope for is more effective evasion methods. The leads
|
|
collected through this method are, on average, valued between eight and
|
|
twelve US dollars per lead only because they are exclusive opt-ins. An
|
|
opt-in is a user who wishes to recieve information regarding the service
|
|
or product you provide. (i.e. no one else should have this information
|
|
as they obtained it directly from the client). There have been
|
|
instances when leads are scarse however, and opt-ins sold for over
|
|
twenty US dollars a lead. Semi-exclusive (or non-exclusive) leads on
|
|
the other hand are usually half or less than the price of an exclusive
|
|
lead.
|
|
|
|
The second method of collection is not as trivial as the first one
|
|
sounds, although the first is a bit more involved than I actually
|
|
described. I will elaborate further on what it takes to successfully
|
|
build the infrastructure described above shortly.
|
|
|
|
|
|
5.2) Thievery
|
|
|
|
Thievery obviously refers to stealing, and to steal, the collector has
|
|
to choose from an abundance of targets. Essentially, anyone
|
|
constructing an environment to collect leads themselves is a possible
|
|
target. Things fall into place fairly easily for a collector wanting to
|
|
find more targets -- recall how collectors use mailers as resources to
|
|
advertise their websites? This is a pretty viable method for collection
|
|
however, alternative methods do exist and collectors use any and all
|
|
possible enumeration methods they can think of. First, lets dive into
|
|
the details of what collectors looking to construct websites need to do
|
|
before hiring mailers since this is directly related to the enumeration
|
|
of targets.
|
|
|
|
|
|
5.3) Setting up an Infrastructure
|
|
|
|
So far all this seems pretty straight forward; they setup a webserver to
|
|
collect information about the people interested in mortgage loans and
|
|
the mailers responsible for advertising get a sales commission for leads
|
|
collected by their spam. Unsolicited e-mail, often of a commercial
|
|
nature, sent indiscriminately to multiple mailing lists, individuals, or
|
|
newsgroups; junk e-mail. run. To complete the cycle, the people
|
|
interested in loans receive an email which sparks their interest and
|
|
they navigate to the link found in the email. Collectors are usually
|
|
ambitious and make an eager attempt at keeping their domains, websites,
|
|
and mailers going round the clock. In the United States it is illegal
|
|
to spam a person without their consent, and to use spam as advertisement
|
|
to a website (the loan forms) hosted on a webserver in the US is not too
|
|
common but they do exist. The easiest thing for a collector to do is to
|
|
find a hosting provider in a communist country with no regard for the
|
|
content placed on their servers. The technical term for this type of
|
|
service is bullet-proof-hosting. A bullet-proof-host is a node on a
|
|
provider's network with extremly loose Terms of Service, often allowing
|
|
them to spam or host any content they wish. Usually the provider resides
|
|
in a third world or communist country.. The average price for such a
|
|
service is about 2,500 US dollars a month. An alternative to dishing out
|
|
large amounts of cash for hosting services is using a bot network. A
|
|
distributed collection of agents (bots) connected and controlled by a
|
|
central authority.. Usually though, bot networks are pretty dynamic and
|
|
don't fit the necessary requirements to host this type of content. If a
|
|
collector pays a mailer to spam his site for two or three days and the
|
|
host goes down the first night (because of an unreliable bot host) a lot
|
|
is lost and so generally experienced folks tend to pay for reliable
|
|
hosting.
|
|
|
|
Often, the businesses providing the bullet-proof-hosting servers are
|
|
relatively well known, and if they are known so is their allotted IP
|
|
space. This, in turn, makes finding servers hosting mortgage
|
|
applications a piece of cake. All one has to do is scan a known IP
|
|
segment for specific criteria and keep track of those that fit the
|
|
profile. Once a worthy target list has been collected, the attacks
|
|
follow. An interesting fact about the individuals involvement in this
|
|
industry is that nothing either one is doing is really all that legal.
|
|
This, in fact, allows an attacker to launch whatever type of attack he
|
|
wants on the victim machine with little to no worry about legal
|
|
repercussions. Often a collection machine will have several required
|
|
services open to the Internet, for example: http, ssh, ftp, mysql or
|
|
mssql and sometimes an administrative web interface. The scope of an
|
|
attack is unlimited and the number of man hours invested directly
|
|
reflects on the amount of traffic the victim website attracts. It is
|
|
even pretty common for certain prowlers to lease a server from the same
|
|
segment the victim machine is on simply to increase their odds of
|
|
breaching the host. The following shortly describes common attack
|
|
practices launched against victim websites.
|
|
|
|
- Brute-force Enumeration
|
|
|
|
An attacker will attempt to guess login and password pairs on any if
|
|
not all of these services. Usually this kind of attack is not too
|
|
stealthy, but remember there is little worry - I mean the victim
|
|
cannot simply pick up the phone and call his lawyer can he?
|
|
|
|
- SQL Injection
|
|
|
|
If any of the web interfaces are accessible through the site, sql
|
|
injection attacks are another vector for entry. Although the success
|
|
ratio of sql injection is now relatively low, there are still some
|
|
low hanging fruit to find and be assured someone greedy and
|
|
ambitious enough will find it.
|
|
|
|
- Classic Attacks
|
|
|
|
With the massively large number of exploits developed and released to
|
|
the public daily, searching and launching attacks is a frequent action.
|
|
This sometimes opens up a new market for exploit writers looking to
|
|
make some quick cash. Collectors can advertise the need for an exploit
|
|
and place a price on a particular application. There are even online
|
|
auctions that have been built specifically for this purpose.
|
|
|
|
- Passive / Passive Aggressive
|
|
|
|
When an attacker decides to lease a machine on the same segment, it
|
|
is usually because they failed to remotely compromise the victim's
|
|
machine. As a last resort they can do several things to retrieve
|
|
the information they are looking for. The attacker can launch an
|
|
ARP Poisoning attack and sniff all the incoming traffic to the
|
|
victim machines, an attacker can simply redirect all the client
|
|
requests to himself and collect the leads himself, or even hope for
|
|
the victim himself to logon and perform a man-in-the middle attack to
|
|
passively collect credentials.
|
|
|
|
|
|
6) More on The Money
|
|
|
|
In this section, I will associate the roles described above with the
|
|
amount of money they can generate. As described earlier, the mailer
|
|
serves as the core distributor of an advertising campaign. As a company
|
|
would pay a marketing company for it to advertise its products, a
|
|
collector pays a mailer to generate leads (e.g advertise and generate
|
|
revenue). He can also simply take matters into his or her own hands and
|
|
do the dirty work himself. If a mailer is hired however, to properly
|
|
track what a mailer collects there is a nifty procedure in place. Each
|
|
mailer is given a unique ID number and the link spammed in each email
|
|
contains the ID number. When a client submits information regarding his
|
|
loan inquiry, the mailer's ID number is included and the collector now
|
|
has record of how many leads a mailer is generating. This method of
|
|
tracking referrals is well adopted in most spam/advertising related
|
|
industries online. The majority of spyware and adware vendors leverage
|
|
this method of tracking to pay their affiliates.
|
|
|
|
A single spam run can be as large as two million emails. The time
|
|
needed to complete a run that big depends on a few key factors - the
|
|
method used for distribution and the spam software being used. If a
|
|
decent sized list of proxies is used you can send an average of about
|
|
forty thousand emails per half hour using Dark Mailer . With a little
|
|
math we can compute that transmitting two million emails would take
|
|
about twenty-five hours. More over, if I were to shoot low and say that
|
|
.01 percent of two million emails from a single spam run actually
|
|
worked, the return for the collector on exclusive leads is about 200
|
|
leads per mailer at 10 dollars a lead results to about 2,000 USD. The
|
|
mailers recieve on average about 8 per referal and can usually track
|
|
their statistics through a web-based front end tracking their return on
|
|
time investment in real-time.
|
|
|
|
|
|
7) The Disaster
|
|
|
|
So far, I've covered in fairly good detail the structure of what was
|
|
once a falling corporation taking a 180 degree turn and rising straight
|
|
back up to the top. It is too well known though, that what goes up must
|
|
come down and twice as fast as it went up.
|
|
|
|
The core of the problems started out when mailers began to falsify the
|
|
content of the spam for their collectors. Mailers noticed that the
|
|
lower the rate they advertised the more traffic they would drive to the
|
|
collector's website. More traffic indicated a higher collection of
|
|
leads which resulted in more money. Whether the mailers were aware of
|
|
the laws before they did what they did is unknown to me but their lies
|
|
resulted in law suites unfolding from all sides. Unhappy individuals
|
|
who had been promised a 1.9 - 2.5 interest rate on a loan began filing
|
|
law suites against the collectors. This resulted in a fairly large
|
|
chain of angry partners. The hierarchy below indicates the ripple of
|
|
disaster that came about.
|
|
|
|
|
|
8) Conclusion
|
|
|
|
It is fair to say that ambition can get the best out of people Indeed,
|
|
I'm sure these individuals are trying their best to make a profit out of
|
|
this endeavor. Unfortunately, it is not the most appropriate way to
|
|
make a living; it does however show that their perception is a bit
|
|
different. Most of them feel that by staying away from selling drugs
|
|
and pornography online, they are not hurting anyone and simply taking
|
|
advantage of a good way to make some money. In retrospect, I agree, but
|
|
I refuse to condone spam for any reason, it consumes countless corporate
|
|
man hours and is a general nuisance to anyone who receives email.
|
|
|
|
|
|
A. References
|
|
|
|
Spammer-X, ``Inside the spam cartel." http://www.oreilly.com/catalog/1932266860/.
|
|
Boiler Room, http://www.imdb.com/title/tt0181984/.
|
|
|
|
|
|
|
|
|