1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

"Blackhat" Methods and Consequences

Discussion in 'BlackHat Lounge' started by Elliot305, Dec 22, 2016.

  1. Elliot305

    Elliot305 Jr. VIP Jr. VIP

    Joined:
    Jul 21, 2010
    Messages:
    547
    Likes Received:
    1,514
    Occupation:
    Loophole/Exploit Specialist
    Location:
    In The Sun
    So there's a nice debate going on here about BHW not being blackhat anymore. I've seen a theme not only in that thread, but throughout many threads on people being confused with criminal blackhat versus civil blackhat and the consequences/risks of each. In this thread I hope to give people an inside perspective on what I've encountered over the years and perhaps they can make a more informed decision. I'm not a lawyer so just gonna talk about a few of my experiences rather than the law itself.

    Alright so first we need to form some basic assumptions to get our baseline:

    Standard Blackhat Criminal Activity: Carding, hacking, theft of property, theft of info, etc. This kind of discussion isn't tolerated here and rightfully so. I don't involve myself with it or with people doing it.

    Standard Blackhat Civil Activity: Anything that violates a website's ToS (100s of examples could be named so I'll skip doing that). This is what I focus on.

    Moral Compass: What you're morally willing to do without taking any legal consequences into consideration.

    Risk Tolerance: Taking into consideration and accepting the consequences of your actions if caught (civil or otherwise).

    End Game/Exit Strategy: What your final objective is.

    I know the above sounds all serious but its something that every marketer should face/consider before doing ANY kind of marketing tactic that violates a rule/policy. It's something that I've considered time and time again since I needed to evaluate if something was worth pursing. Since I don't partake in criminal activity we're just gonna throw that option out and focus on the civil liability aspects of doing blackhat methods since 99% of the blackhat discussions here are civil based.

    I'll provide a few examples of situations I've been in and how I avoided any consequences (since that should supersede any monetary gain).

    Situation 1:

    Back in 2003 I learned about a hustle that lawyers used in order to extract settlements out of companies that violated debt collection laws. Fast forward to 2005ish and I find out several prosecutors from various states were investigating me for doing the same practice. I knew the law was on my side and just cause I didn't have a degree on my wall but knowing my rights didn't mean I was no longer entitled to them. I stood my ground and continued on, knowing that I had case law/precedent on my side. Not once were any charges brought cause they had no case to make. I was simply playing the system just like every lawyer was doing.

    Lesson:

    You need to think practically about a situation before getting involved in it. Ask yourself about morality, your risk tolerance, potential of crossing over into criminal territory and finally your end game. For instance, there's a difference between buying coupons to get 400k in free facebook/bing/google advertising and what Mr. Grunin did (albeit his case was still civil). I'm not sure if he had an end game as he could have gotten out clean with FB once they told him to stop, but he kept at it. Once a company finds you and puts you on official notice to stop, you stop! If it gets to the courts and they tell you to stop and you don't, you're in contempt and go to jail.

    In my situation if I sent random lawsuits with fake claims to businesses demanding money to make the case go away, well, I would have served time. But since I knew the game these lawyers were playing against debt collectors I followed their script and turned what I did away from a criminal action on its face into a sustainable biz model backed-up by law.

    Situation 2:

    In '07 I found an opportunity to spam Adwords with ringtones listing. This continued for 6 months or so and I noticed Shoemoney wrote a couple blog posts about it. That had me a little concerned cause whenever a large company gets publicly exposed for weaknesses they tend to hit back hard at the people doing it. After having an anonymous conversation with him I learned the FBI got involved since some people were copying the method but using stolen credit cards instead. I figured it was the right time to exit the method as things were getting too hot.

    Lesson:

    If you're abusing a platform its always a good practice to try and get an insider perspective on what they're thinking or planning on doing in reaction to your actions. Look at the company's blog posts, call them, check their twitter account or check for any communications they've sent to you. In one instance a company knew I was using throwaway email accounts so they would communicate by changing my campaign names and leaving me messages such as, "we're onto you" or "we're gonna find out who you are" etc. In Google's case they contacted my affiliate network but thankfully they had my back:

    [​IMG]

    To follow that up you should always check with the affiliate network to make sure they're cool with what you're doing. Be transparent but don't tell them everything. If the exploited company can't find you then they'll check your aff links to see what network and advertiser is working with you. Google had leverage against Azoogle in which the network forced me to change my method up some but I was able to continue on till the FBI talk came about.

    Situation 3:

    A couple years ago I got into exploiting online casinos. I'm not smart enough to know how to hack into a server (nor would I) so needed to find out a different approach. I quickly realized that a lot of casinos coded the games themselves and failed to secure the structures of the game client-side, allowing me to break them with simple free software and manipulate certain aspects of the game. The casinos were running illegally in the US anyway, so I knew they didn't have many options for recourse. Problem was one in particular had another option:

    [​IMG]

    Lesson:

    Be careful using blackhat methods against smaller companies cause they're more likely to respond on a personal level. Annoying executives or security teams at fortune 50 companies is one thing but when you're effecting a small business, things can go sideways pretty quick. Luckily for me I was offering consulting at the time and they took me up on the offer rather than, who knows.

    Closing

    There's many degrees/interpretations of what blackhat methods are. Sure, going strictly by the book you're "breaking the law" if you have a fake FB or IG account or whatever, just like you're breaking the law if jaywalking. Before you dive into violating a company's ToS you need to first understand what you're trying to extract out of the company, when to exit, what your risk tolerance is and the possible consequences of pulling it all off. Don't let me or anyone here impose upon you how far you should take it, only you can answer that.

    Thanks for your time reading this.
     
    • Thanks Thanks x 2
    Last edited: Dec 22, 2016
  2. elavmunretea

    elavmunretea BANNED BANNED

    Joined:
    May 14, 2016
    Messages:
    1,579
    Likes Received:
    2,091
    Ok
     
  3. Sherbert Hoover

    Sherbert Hoover Jr. Executive VIP Jr. VIP

    Joined:
    Dec 26, 2010
    Messages:
    999
    Likes Received:
    8,064
    Occupation:
    ORM - Branding - Content
    Location:
    United States
    Home Page:
    Ok
     
  4. Sherbert Hoover

    Sherbert Hoover Jr. Executive VIP Jr. VIP

    Joined:
    Dec 26, 2010
    Messages:
    999
    Likes Received:
    8,064
    Occupation:
    ORM - Branding - Content
    Location:
    United States
    Home Page:
    I work mid-level for a billion-dollar financial corporation who is looking for someone to do pen testing on our reporting servers, Eliot. Shoot me a PM if this is something up your alley. Your posts make me want to punch you in the face repeatedly, but you seem to know your niche and are well-worded enough to know how to communicate.
     
    • Thanks Thanks x 1
  5. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Jr. VIP

    Joined:
    Nov 10, 2012
    Messages:
    11,478
    Likes Received:
    32,421
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
    Bottom line, if you can't do the time, don't do the crime.
    Always look at the worst case scenario and if you won't be able to deal with it then don't do it.
    Carry out due diligence with everything you do and protect yourself to the max.
    I have pushed things in the past and have been in trouble with the law previously, on more than one occasion but as I grow older I am becoming risk averse and it would take serious serious moolah for me to risk jeopardizing my family life.
     
    • Thanks Thanks x 4
  6. Skyebug77

    Skyebug77 Jr. VIP Jr. VIP

    Joined:
    Mar 22, 2012
    Messages:
    1,940
    Likes Received:
    1,360
    Occupation:
    Marketing
    Location:
    Portland,Or
    Thanks for posting this. A lot of people think BHW isnt BH anymore. I would say the opposite. You can still find plenty of Black hat methods being used. For example, ad cloaking, like jacking, spamming, content locking, bots of all sorts.

    For some reason, people have it in their mind that something is illegal, then it is BH. But I see BH as doing things outside the norms or standards of normal marketing. A lot of members have migrated to more white hat methods as they grow and get older, but this forum is no doubt very Black Hat in the terms of how we learn, share, discuss things and most importantly in our own natures. There is something inside of us that identifies us as this BHW community, at least thats what I like to think.
     
    • Thanks Thanks x 2
  7. SnoopyDrew

    SnoopyDrew Senior Member

    Joined:
    Jun 25, 2014
    Messages:
    1,146
    Likes Received:
    623
    Gender:
    Male
    Occupation:
    Affiliate Marketing And SEO
    Location:
    Oregon
    i once ate a bandaid
     
    • Thanks Thanks x 1
  8. MLworkonline

    MLworkonline Registered Member

    Joined:
    Feb 4, 2015
    Messages:
    66
    Likes Received:
    16
    waiiiit....

    .....so my secondary facebook account for tinder use is "against the law"?

    against TOS sure, but....

    whaaaaat?
     
  9. MikeyMikey13

    MikeyMikey13 Senior Member

    Joined:
    May 25, 2014
    Messages:
    1,053
    Likes Received:
    266
    If it has a name on it which isn't yours on it yes (if the person is real or not).

    Maybe I should make a facebook with all your information, contact your employer with derogatory remarks and see how you would feel about no legal action being avaliable to you lol
     
  10. Motherdex

    Motherdex Regular Member

    Joined:
    Dec 31, 2015
    Messages:
    333
    Likes Received:
    87
    Gender:
    Female
    What law is being violated just by having two FB accounts (assuming one of which is a fictitious name)?

    Your example above - the violation of the law is not having a second FB.. it would be impersonation, harassment, etc..

    I figured it is what you do with the account that may be a law violation while just having them is a TOS violation.
     
  11. davids355

    davids355 Jr. VIP Jr. VIP

    Joined:
    Apr 25, 2011
    Messages:
    9,844
    Likes Received:
    7,462
    Home Page:
    I just like the distinction between black hat crime and black hat seo. A lot of people seem to be confused about that when they arrive here so nice one for clearing that up.
     
  12. NobelNerd

    NobelNerd Power Member

    Joined:
    Feb 21, 2013
    Messages:
    703
    Likes Received:
    265
    Occupation:
    Digital Marketing
    Location:
    India
    My two cents

    1.There is no moral compass no has it
    2. Ahem you don't know how bad carding is ..
     
  13. Elliot305

    Elliot305 Jr. VIP Jr. VIP

    Joined:
    Jul 21, 2010
    Messages:
    547
    Likes Received:
    1,514
    Occupation:
    Loophole/Exploit Specialist
    Location:
    In The Sun
    My reference to fake or multiple accounts was in regards to civil liability, not criminal. Although if you commit crimes using the accounts it becomes a criminal issue. Violating ToS of a site could expose someone to civil penalities based on breach of contract ( or countless variations of it). FB can even allege "unauthorized use/access of its computers" if you have multiple accounts (just like the did with Grunin). Before you get all worried, there needs to be common sense applied of course. ToS are usually broad in scope so practically everyone has violated them at one point or another.
     
    • Thanks Thanks x 1
  14. MikeyMikey13

    MikeyMikey13 Senior Member

    Joined:
    May 25, 2014
    Messages:
    1,053
    Likes Received:
    266
    Identify theft plain and simple.

    Not to mention libel depending on what you do with the fictitious identity. In the UK you do not even need to intend the to impersonate the person(person suing you) in a libel cliam.

    It'll be slightly different everywhere, but generally harmonization of law keeps it inline. but this applies in Texas:

    Sec. 33.07. ONLINE IMPERSONATION. (a) A person commits an offense if the person, without obtaining the other person's consent and with the intent to harm, defraud, intimidate, or threaten any person, uses the name or persona of another person to:

    (1) create a web page on a commercial social networking site or other Internet website; or

    (2) post or send one or more messages on or through a commercial social networking site or other Internet website, other than on or through an electronic mail program or message board program.

    (b) A person commits an offense if the person sends an electronic mail, instant message, text message, or similar communication that references a name, domain address, phone number, or other item of identifying information belonging to any person:

    (1) without obtaining the other person's consent;

    (2) with the intent to cause a recipient of the communication to reasonably believe that the other person authorized or transmitted the communication; and

    (3) with the intent to harm or defraud any person.

    (c) An offense under Subsection (a) is a felony of the third degree. An offense under Subsection (b) is a Class A misdemeanor, except that the offense is a felony of the third degree if the actor commits the offense with the intent to solicit a response by emergency personnel.

    (d) If conduct that constitutes an offense under this section also constitutes an offense under any other law, the actor may be prosecuted under this section, the other law, or both.

    (e) It is a defense to prosecution under this section that the actor is any of the following entities or that the actor's conduct consisted solely of action taken as an employee of any of the following entities:

    (1) a commercial social networking site;

    (2) an Internet service provider;

    (3) an interactive computer service, as defined by 47 U.S.C. Section 230;

    (4) a telecommunications provider, as defined by Section 51.002, Utilities Code; or

    (5) a video service provider or cable service provider, as defined by Section 66.002, Utilities Code.

    (f) In this section:

    (1) "Commercial social networking site" means any business, organization, or other similar entity operating a website that permits persons to become registered users for the purpose of establishing personal relationships with other users through direct or real-time communication with other users or the creation of web pages or profiles available to the public or to other users. The term does not include an electronic mail program or a message board program.

    (2) "Identifying information" has the meaning assigned by Section 32.51.