Low-tech Internet scams net big money

Domino's Pizza lost about $77,000 in free pizza due to a weak password on an online promotion that wasn't supposed to go live - a type of security problem that is all too common, according to a presentation slated for the Black Hat USA conference this week.

A hacker guessed a promotional coupon code that authorized a free medium one-topping pizza and publicized the code, which got used about 11,000 times in 48 hours, according to Jeremiah Grossman, founder and CTO of White Hat Security, who will deliver the talk.

Black Hat's most notorious incidents: a quiz

Patrons ordering pizza online would put in their order then enter the code, essentially a password, into the "coupon" field on the site, he says.

The Domino's incident is one of about a dozen examples of how people can make money - not necessarily legally - off the Internet that Grossman will discuss in his briefing, called "Mo' Money Mo' Problems: Making A LOT More Money on the Web the Black Hat Way".

The person who guessed the Domono's password - BAILOUT - was never caught, Grossman says, and the promotion had been set up in the chain's system without getting the go-ahead. Many businesses authorize their marketing departments to set up such promotions without advice from their network security teams so they often lack anti-brute-force protections and lockouts, he says.

In another malicious guessing game, a man charged with scamming Apple out of 9,000 iPod Shuffles did so in part by guessing at legitimate Shuffle serial numbers, Grossman says.

He set up a phony Web business called iPod Mechanic that supposedly took in broken iPods and returned them for new ones under Apple's advanced replacement program. Apple required a legitimate iPod serial number and a credit card number to bill if Apple didn't receive the broken device, Grossman says.

The man used credit card numbers from Visa gift cards to satisfy pre-authentication for the replacement service, and using the known serial numbers of actual iPod Shuffle's, he guessed at others. When the new iPods arrived, he sold them on eBay for $49 each, Grossman says.

The scammer was caught because Apple's trademark protection people flagged the unauthorized use of iPod in the business' name, iPod Mechanic. Police found $571,000 in cash at the perpetrator's house, Grossman says.

He will also discuss how a British builder located lead-tile roofs in London via Google Earth, then scaled the buildings - mostly museums and historic buildings - to steal the tiles. Police estimate that he made off with about $1.64 million in lead during his spree.

Grossman says he plans to talk about a scheme that netted perpetrators a nine-figure payday as well as the Gmail attack that compromised Twitter business plans. His talk is a follow-up to last year's talk, "Get rich or die trying, making money on the Web the black hat way."

Third State Department snooper sentenced

A former employee of the U.S. Department of State who pleaded guiltyto improperly accessing electronic passport records belonging to more than 50 high-profile individuals was sentenced today to one year of probation.

Gerald Lueders, 65, of Woodbridge, Va., who worked as a foreign service officer at the State Department and later as a recruitment coordinator for the agency, was also ordered by U.S. Magistrate Judge Alan Kay in Washington D.C. to pay a $5,000 fine.

In January, Lueders admitted that between July 2005 and Feb. 2008 he had logged onto the State Department's Passport Information Electronic Records System (PIERS) database and viewed passport applications of several celebrities, athletes, media personnel, family members and others out of "idle curiosity."

Leuders is the third department employee to be sentenced forsnooping on the passport records of dozens of high-profile individuals including then-Senator Barack Obama and others.

Lawrence Yontz, also a former foreign service officer and intelligence analyst, pleaded guilty to illegally accessing more than 200 passport records last September, and was sentenced in December to one year probation and 50 hours of community service.

In March of this year, Dwayne Cross, a former administrative assistant and contract specialist at the department, was sentenced to 12 months of probation and 100 hours of community service after pleading guilty to improperly accessing about 150 electronic passport records. The snooping case came to light in March 2008, when the State Department disclosed that three contract employees had accessed passport records belonging to certain individuals without any valid reason for doing so.

At that time, the State Department had disclosed that the individuals whose identities had been improperly accessed included Senators Obama, John McCain and Hillary Clinton.

The department had described the individuals who accessed their records as being motivated by "imprudent curiosity." Though their illegal access was repeatedly flagged by an in-house computer system designed to catch such violations, supervisors downplayed the alerts. Two contract workers were later fired, while the third worker was disciplined but allowed to continue to work for the department.

The incident attracted considerable attention, with Obama calling it an "outrageous" privacy violation at the time.

Passport records contain information that is submitted by an individual when filling out an application form and can include details such as date and place of birth, physical attributes, naturalization details, family status and occupation and details from background checks.

The PIERS database in which the data is stored is a classified system with access limited strictly to government duties.

The State Department snooping incident is not the only example of insiders abusing their rights. Earlier this year, a Kaiser Permanente hospital near Los Angeles fired 15 employees and reprimanded eight others for improperly accessing the personal medical records of Nadya Suleman, the California woman who gave birth to octuplets in January.

In April 2008, the medical center at the University of California, Los Angeles, disclosed that as many as 165 doctors and other employees had improperly accessed the medical records of numerous celebrities, including Tom Cruise, Farah Fawcett and Britney Spears, over a period of as many as 13 years.