Zines/uninformed/5.4.txt

Wars Within
9/2006
Orlando Padilla
xbud@g0thead.com


1) Foreword

Abstract: In this paper I will uncover the information exchange of what
may be classified as one of the highest money making schemes coordinated
by 'organized crime'.  I will elaborate on information gathered from a
third party individual directly involved in all aspects of the scheme at
play.  I will provide a detailed explanation of this market's origin,
followed by a brief description of some of the actions strategically
performed by these individuals in order to ensure their success.
Finally, I will elaborate on real world examples of how a single person
can be labeled a spammer, malware author, cracker, and an entrepreneur
gone thief.  For the purposes of avoiding any legal matters, and
unwanted media, I will refrain from mentioning the names of any
individuals and corporations who are involved in the schemes described
in this paper.

Disclaimer: This document is written with an educational interest and I
cannot be held liable for any outcome of the information released.

Thanks: vax, Shannon and Katelynn


2) Introduction

It is inherently obvious to anyone who owns a computer that the Internet
has changed the world around us in a significant number of ways.  From
an uncountable number of careers to a world-wide open market, it
drastically affected everything around us.  Don't worry though, I will
not bore you with another ``The future will look like this ... ''
article. For that, I will refer to you a great book by Michio Kaku
called Visions that is remarkably accurate considering it was written in
the mid 90's. But anyway, why am I restating the obvious?  To allow
myself to focus on one not so obvious division of an existing market
developed by a corporation that had previously filed for bankruptcy.  I
will elaborate on how it "innovated" one particular market and how that
change resulted in a ripple of disaster and greed.  The market is real
estate and my focus is on mortgage leads

The idea of finding, selling and stealing leads is anything but new, in
fact Hollywood made a movie based entirely on the importance of sales
leads titled 'Boiler Room' starring Giovanni Ribisi, Ben Affleck and Vin
Diesel .  The movie illustrates a perfect example of the significance of
even one major lead.

I will begin by explaining what mortgage leads are, why they are worth
writing a paper about and how certain individuals have made millions off
of them.  I will then discuss the roles of the connected individuals and
how they continue to work when trust is the single point of failure.  My
decision to write this article is nothing more than informational, I
have no intentions of ruining the lives of the people who make a living
from what I am about to discuss.  In fact, it is to my knowledge not
much of a secret at all but I found it fascinating and wish to share my
experiences with anyone willing to listen.


3) Guidance

As I was growing up, my parents discouraged me from working while
attending school.  They made a genuine attempt to provide for me the
support that I needed so that I could focus exclusively on my academics.
Their reasoning for this was simple - Once you start making money,
you'll forget what is important in life and will simply want to follow
this path.  As you read through this paper, ask yourself how true this
actually is.


Financial gain drives every market around the world, and quite honestly
there are very few things the world as a whole has not yet done for
money.  To quantify what my parents' believe, I will describe how the
lives of the people involved vary from the lives they once lived, and
from the lives of a person working a nine-to-five job.


4) The Entity

Mortgage leads, referred to as leads from this point on, are nothing
more than a selective set of criteria consisting of the following:


First Name
Last Name
Phone
City
State
Zip
Email
Loan Type
Loan Amount
Affiliate ID
Domain Ref.
Date


Each lead must contain at least the above criteria with the exception of
perhaps Affiliate ID and Domain Reference to be worth anything to a
buyer.  Furthermore, the more reliable a set of leads is, the more it is
worth to a buyer.  A buyer?  You ask.  Well, financing firms are
indirectly involved in this scheme;  finance firms take the information
you sold to them, and follow up with the people allegedly interested in
buying, refinancing or applying for a home loan.


4.1) Background

To fully understand who is selling the collected information and to
elaborate on who is buying the information listed above, I'll introduce
hypothetical Corporation A to play the role of the real company.  Corp.
A is a mortgage firm on the fall, not only are they on the verge of
closing shop but they have already filed for Chapter 11 bankruptcy and
are out of viable options for recovery.  As a last resort they decide to
offer money in exchange for possible loan application candidate leads.
This quickly gained momentum as the Internet was a prime place for
accumulating such information. The plan eventually imploded, but before
diving into what the outcome was, I'll elaborate on how this truly
became its own market.


4.2) Numbers

Initially each collector averaged about 200 leads per sale which drove
just enough profits to keep the company afloat.  The term collector in
this paper in its loosest sense is a name given to an individual who
collects mortgage leads for the purpose of attaining a profit.  A lead
was first bought at a flat rate of 10 US dollars which at an average of
200 per sale the profit for the collector was a comfortable 2,000 US
dollars.  On the flip side of things, Corp. A was successfully
conducting business averaging about 10 sales for every 100 leads they
bought.  With these numbers consistently coming through Corp. A made a
profit of about 10,000 US dollars for every successful sale.  A little
math illustrates the return on investment ratio:


Investment: 200 x 10 = 2000 
Average Profit: 10,000 x 20 = 200,000
Return on Investment: 200,000 - 2,000 = 198,000


Based on the collection of an insignificant amount of information,
collectors aggressively innovated their collections methods.  I will
elaborate on what I mean shortly. For now, I will focus on what happened
immediately after.

New collection methods drove the lead delivery out of control and soon
Corp. A was inundated with so many leads that they had to start turning
them down until they figured out how to process the volume.  In order to
handle the number of leads they were now attaining, they decided to
partner with smaller companies and sell them the overflow.  Corp. A was
now growing exponentially fast, and in a period of roughly five to six
years, this simple idea drove Corp. A from bankruptcy to a multi-billion
dollar corporation. It is actually rumored that at one point in time
this company consumed 100 of the mortgage leads ever processed in the
United States.

People and greed do not mix very well, and as I mentioned, earlier
collectors and partners wanted more money, so soon other companies began
buying leads from collectors too.  I argue that at the time the mortgage
industry was large enough for everyone to profit nicely from it, however
greedy collectors began selling bogus or non-exclusive leads.  This
forced mortgage firms to develop a loose classification model for
grading the quality of a lead as an addition to the classification of
the leads themselves.

- Exclusive

  An exclusive lead is one that is sold only to one mortgage firm and never again
  redistributed.  The value of these leads was often higher than non-exclusive, or
  as they decided to term them, semi-exclusive leads.

- Semi-Exclusive

  Yes, semi-exclusive.  I honestly cannot define this, as this is an
  oxymoron itself, but someone somewhere.  An individual who
  wishes to stay anonymous informed me of terms commonly used.
  decided to call non-exclusive leads semi-exclusive to allow them to
  be resold.  It's a nice euphemism, though.


Grade   |  Description
--------+-------------
Green   | Confirmed Valid Lead
Yellow  | Characteristics of a bad lead but enough good to buy
Red     | Confirmed Invalid Lead

The reliability of a bulk set is assessed by the person buying them at
the time of sale.  The person interested in buying the leads takes a
random set from the bulk he is receiving and personally verifies their
validity.  A rating is then given depending on the number of missed
leads he finds.  The grading is different with every person you deal
with, but in short a lead is only Green if validated.  A validated lead
is one that is confirmed through the person who's information was sold
to begin with (The loan application candidate) goes through..  A yellow
lead is a lead with all information accurate but the candidate was
either not home or for some reason was not available.  Last, a red lead
is a confirmed invalid or bogus lead.  A number of things can give away
a bad lead, for example Zip code and State not matching, or the name
given is John Doe and the address contains Elm Street are probably
indications of a bad lead.


5) The War

Now that I have indulged you with the whereabouts and importance of a
lead, I will discuss how they are obtained. I mentioned above how far an
individual would go as a result of greed?  Below I describe their
actions, which outlines their (at times) unethical behavior and
persistence to attain more of the goods.


5.1) Self Indulgence

When the collector decides to go a straight route (in terms of their
industry), they can invest some time and money into setting up an
infrastructure to lure potential clients to their web site.  They first
need to build a site that resembles a loan agency that allows visitors
to send their applications to them.  Once the collector has a website
saving information to a database, he now hires mailers or spammers to
advertise his website.  The average return on spam has been extremely
dynamic, and with more advanced filtering mechanisms in place, all a
spammer can hope for is more effective evasion methods. The leads
collected through this method are, on average, valued between eight and
twelve US dollars per lead only because they are exclusive opt-ins.  An
opt-in is a user who wishes to recieve information regarding the service
or product you provide. (i.e. no one else should have this information
as they obtained it directly from the client).  There have been
instances when leads are scarse however, and opt-ins sold for over
twenty US dollars a lead.  Semi-exclusive (or non-exclusive) leads on
the other hand are usually half or less than the price of an exclusive
lead.

The second method of collection is not as trivial as the first one
sounds, although the first is a bit more involved than I actually
described.  I will elaborate further on what it takes to successfully
build the infrastructure described above shortly.


5.2) Thievery

Thievery obviously refers to stealing, and to steal, the collector has
to choose from an abundance of targets.  Essentially, anyone
constructing an environment to collect leads themselves is a possible
target.  Things fall into place fairly easily for a collector wanting to
find more targets -- recall how collectors use mailers as resources to
advertise their websites?  This is a pretty viable method for collection
however, alternative methods do exist and collectors use any and all
possible enumeration methods they can think of.  First, lets dive into
the details of what collectors looking to construct websites need to do
before hiring mailers since this is directly related to the enumeration
of targets.


5.3) Setting up an Infrastructure

So far all this seems pretty straight forward; they setup a webserver to
collect information about the people interested in mortgage loans and
the mailers responsible for advertising get a sales commission for leads
collected by their spam.  Unsolicited e-mail, often of a commercial
nature, sent indiscriminately to multiple mailing lists, individuals, or
newsgroups; junk e-mail. run.  To complete the cycle, the people
interested in loans receive an email which sparks their interest and
they navigate to the link found in the email.  Collectors are usually
ambitious and make an eager attempt at keeping their domains, websites,
and mailers going round the clock.  In the United States it is illegal
to spam a person without their consent, and to use spam as advertisement
to a website (the loan forms) hosted on a webserver in the US is not too
common but they do exist.  The easiest thing for a collector to do is to
find a hosting provider in a communist country with no regard for the
content placed on their servers.  The technical term for this type of
service is bullet-proof-hosting.  A bullet-proof-host is a node on a
provider's network with extremly loose Terms of Service, often allowing
them to spam or host any content they wish. Usually the provider resides
in a third world or communist country.. The average price for such a
service is about 2,500 US dollars a month. An alternative to dishing out
large amounts of cash for hosting services is using a bot network.  A
distributed collection of agents (bots) connected and controlled by a
central authority..  Usually though, bot networks are pretty dynamic and
don't fit the necessary requirements to host this type of content.  If a
collector pays a mailer to spam his site for two or three days and the
host goes down the first night (because of an unreliable bot host) a lot
is lost and so generally experienced folks tend to pay for reliable
hosting.

Often, the businesses providing the bullet-proof-hosting servers are
relatively well known, and if they are known so is their allotted IP
space.  This, in turn, makes finding servers hosting mortgage
applications a piece of cake.  All one has to do is scan a known IP
segment for specific criteria and keep track of those that fit the
profile.  Once a worthy target list has been collected, the attacks
follow.  An interesting fact about the individuals involvement in this
industry is that nothing either one is doing is really all that legal.
This, in fact, allows an attacker to launch whatever type of attack he
wants on the victim machine with little to no worry about legal
repercussions.  Often a collection machine will have several required
services open to the Internet, for example: http, ssh, ftp, mysql or
mssql and sometimes an administrative web interface.  The scope of an
attack is unlimited and the number of man hours invested directly
reflects on the amount of traffic the victim website attracts.  It is
even pretty common for certain prowlers to lease a server from the same
segment the victim machine is on simply to increase their odds of
breaching the host.  The following shortly describes common attack
practices launched against victim websites.

- Brute-force Enumeration

  An attacker will attempt to guess login and password pairs on any if
  not all of these services.  Usually this kind of attack is not too
  stealthy, but remember there is little worry - I mean the victim
  cannot simply pick up the phone and call his lawyer can he?

- SQL Injection

  If any of the web interfaces are accessible through the site, sql
  injection attacks are another vector for entry.  Although the success
  ratio of sql injection is now relatively low, there are still some
  low hanging fruit to find and be assured someone greedy and
  ambitious enough will find it.

- Classic Attacks

  With the massively large number of exploits developed and released to
  the public daily, searching and launching attacks is a frequent action.
  This sometimes opens up a new market for exploit writers looking to
  make some quick cash.  Collectors can advertise the need for an exploit
  and place a price on a particular application.  There are even online
  auctions that have been built specifically for this purpose.

- Passive / Passive Aggressive

  When an attacker decides to lease a machine on the same segment, it
  is usually because they failed to remotely compromise the victim's
  machine.  As a last resort they can do several things to retrieve
  the information they are looking for.  The attacker can launch an
  ARP Poisoning attack and sniff all the incoming traffic to the
  victim machines, an attacker can simply redirect all the client
  requests to himself and collect the leads himself, or even hope for
  the victim himself to logon and perform a man-in-the middle attack to
  passively collect credentials.


6) More on The Money

In this section, I will associate the roles described above with the
amount of money they can generate.  As described earlier, the mailer
serves as the core distributor of an advertising campaign. As a company
would pay a marketing company for it to advertise its products, a
collector pays a mailer to generate leads (e.g advertise and generate
revenue).  He can also simply take matters into his or her own hands and
do the dirty work himself.  If a mailer is hired however, to properly
track what a mailer collects there is a nifty procedure in place.  Each
mailer is given a unique ID number and the link spammed in each email
contains the ID number.  When a client submits information regarding his
loan inquiry, the mailer's ID number is included and the collector now
has record of how many leads a mailer is generating. This method of
tracking referrals is well adopted in most spam/advertising related
industries online.  The majority of spyware and adware vendors leverage
this method of tracking to pay their affiliates.

A single spam run can be as large as two million emails.  The time
needed to complete a run that big depends on a few key factors - the
method used for distribution and the spam software being used.  If a
decent sized list of proxies is used you can send an average of about
forty thousand emails per half hour using Dark Mailer .  With a little
math we can compute that transmitting two million emails would take
about twenty-five hours. More over, if I were to shoot low and say that
.01 percent of two million emails from a single spam run actually
worked, the return for the collector on exclusive leads is about 200
leads per mailer at 10 dollars a lead results to about 2,000 USD. The
mailers recieve on average about 8 per referal and can usually track
their statistics through a web-based front end tracking their return on
time investment in real-time.


7) The Disaster

So far, I've covered in fairly good detail the structure of what was
once a falling corporation taking a 180 degree turn and rising straight
back up to the top.  It is too well known though, that what goes up must
come down and twice as fast as it went up.

The core of the problems started out when mailers began to falsify the
content of the spam for their collectors.  Mailers noticed that the
lower the rate they advertised the more traffic they would drive to the
collector's website.  More traffic indicated a higher collection of
leads which resulted in more money.  Whether the mailers were aware of
the laws before they did what they did is unknown to me but their lies
resulted in law suites unfolding from all sides.  Unhappy individuals
who had been promised a 1.9 - 2.5 interest rate on a loan began filing
law suites against the collectors.  This resulted in a fairly large
chain of angry partners.  The hierarchy below indicates the ripple of
disaster that came about.


8) Conclusion

It is fair to say that ambition can get the best out of people Indeed,
I'm sure these individuals are trying their best to make a profit out of
this endeavor.  Unfortunately, it is not the most appropriate way to
make a living; it does however show that their perception is a bit
different.  Most of them feel that by staying away from selling drugs
and pornography online, they are not hurting anyone and simply taking
advantage of a good way to make some money.  In retrospect, I agree, but
I refuse to condone spam for any reason, it consumes countless corporate
man hours and is a general nuisance to anyone who receives email.


A. References

 Spammer-X, ``Inside the spam cartel." http://www.oreilly.com/catalog/1932266860/.
 Boiler Room, http://www.imdb.com/title/tt0181984/.