Lastly, we operated two adult web sites on our own. By becoming adult web site operators ourselves, we gained additional insights on unique security aspects in this domain. This enabled us to obtain a deeper understanding of the related abuse potential. We participated in adult traffic trading, and provide a detailed discussion of this unique aspect of adult web sites, including insights into the economical implications, and possible attack vectors that a malicious site operator could leverage. For example, we discovered that a malicious operator could infect more than 20,000 with a minimal investment of about $160. Furthermore, we experimentally show that a malicious site operator could benefit from domain-specific business practices that facilitate click-fraud and mass exploitation. We conclude that many participants of this industry have business models that are based on very questionable practices that could very well be abused for malicious activities and conducting cyber-crime. In fact, we found evidence that this kind of abuse is already happening in the wild.
All details of our study are available in the paper. The paper will be presented at the Ninth Workshop on the Economics of Information Security (WEIS 2010). WEIS will take place on June 7/8 at Harvard University.
The online adult industry is among the most profitable business branches on the Internet, and its web sites attract large amounts of visitors and traffic. Nevertheless, no study has yet characterized the industry’s economical and security-related structure. As cyber-criminals are motivated by financial incentives, a deeper understanding and identification of the economic actors and interdependencies in the online adult business is important for analyzing security-related aspects of this industry.
In this paper, we provide a survey of the different economic roles that adult web sites assume, and highlight their economic and technical features. We provide insights into security flaws and potential points of interest for cyber-criminals. We achieve this by applying a combination of automatic and manual analysis techniques to investigate the economic structure of the online adult industry and its business cases. Furthermore, we also performed several experiments to gain a better understanding of the flow of visitors to these sites and the related cash flow, and report on the lessons learned while operating adult web sites on our own.
This paper was joint work with Gilbert Wondracek, Christian Platzer, Engin Kirda, and Christopher Kruegel, all members of the International Secure Systems Lab. You can get the paper at http://honeyblog.org/junkyard/paper/adultSites-weis2010.pdf.