from www.internetevolution.com – Any discussions regarding the online adult, or porn, industry provoke polarized views. It is not an easy subject to approach from any angle, due to the taboo on these sites, which also has benefited cybercriminals, who very quickly learned in the early days of the Internet that users of such services were open to all manner of exploitation.
Estimates on the online adult industry are surprisingly sparse. At least one slightly dated overview holds that the market represents over $25 billion in annual revenues; adult sites regularly populate the Top 50 most visited worldwide; and 42 percent of all Internet users access adult material.
At the same time, adult sites pose 5 to 6 times the risk of infection from malware, the study says, and 35 percent of “free” sites with adult content mislead users or try to manipulate them.
Security issues related to adult sites are even harder to come by. A rare and recent academic study, “Is the Internet for Porn?” gives clear evidence of questionable practices and business models unique to the adult industry, ones that give plenty of scope for cybercrime.
Following my recent posting about DotXXX here on Internet Evolution, I was able to obtain the view of a representative of the adult industry media, Stephen Yagielowicz, senior editor of Xbiz.com. In an email exchange, I got his candid views on a few issues about adult industry insecurity and its associated relationship with cybercriminal activity. I was also interested in whether the mainstream Internet could learn valuable lessons on security from the adult industry.
Stephen was quite open about “insidious criminal enterprises” that he insisted give the adult industry a bad name and are not at all a welcome part of the business. After all, whose interest would it be in to promote these practices?
“Problems such as malware drops, rogue codecs, executable ‘viewer’ software, and social engineering attacks, among other exploits, are a persistent threat to surfers, but they are not limited to sites offering adult content,” Stephen said. The biggest problem, as he sees it, comes from “adult industry hobbyists and underskilled operators” using outdated scripting, leaving open vulnerabilities. “Because they don’t know any better, they unwittingly provide a platform for the spreading of malware by opportunistic hackers.”
As noted in the recent academic study cited above, which is corroborated by analysis from HostExploit.com, an estimated 35 percent of “free” adult sites engage in some form of user manipulation. But only an estimated 10 percent of adult pay sites use these techniques.
Stephen said: “Most free sites ’skim’ a certain percentage of clicks that are redirected as a traffic exchange/building mechanism, whereas pay sites are trying to keep you and make a sale. Of course, once those sales efforts are exhausted, you may be redirected — but affiliates take a dim view of these traffic leaks, so they may not be as common as one would suspect on pay sites. Traffic trading and the scripts enabling it are common and accepted — think of being traded as the unexpected commercial during the movie you’re watching.”
From HostExploit and malware checks, it is very rare to find any actual malware distribution on adult sites, which seems to indicate that most Web page infection is due to insecure hosting or Web design.
“While some criminals may use free porn as the bait for installing malware, this is not the adult industry. Carelessness or criminality, the cause is secondary to the chaos — and both give adult a black eye.”
So what can we learn from the adult industry in terms of security? Stay out of “enemy” territory, for one thing.
“As for keeping out the bad guys, I’m a big believer in limiting the adult site’s audience right from the beginning — as countries that have historically been difficult to bill, or have shown exceptionally poor conversion ratios, also tend to generate the most fraud and exploit attempts,” Stephen asserts. “Below a certain risk/revenue threshold, smart operators will redirect traffic from these countries elsewhere — if you cannot make a sale, then there is no good reason to waste your resources and risk your infrastructure.”
That makes a great deal of sense. While adult-site Webmasters can deploy such tools as Phantom Frog, which via “geo-IP” tracking prevents password abuse and brute force attacks, it’s better to stay away from countries or sources your firm would never sell to or have interest in anyway.