1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

One a scale of 1-13, how illegal is this?

Discussion in 'Making Money' started by Phobos, Jun 28, 2017.

  1. Phobos

    Phobos Registered Member

    Joined:
    Apr 22, 2011
    Messages:
    94
    Likes Received:
    30
    Hey BHW. Old old member here. One of my business associates is starting a business and asked for assistance - I know one of you geniuses will have a solid $0.02 to contribute to this.

    He's started a business that specifically helps small business with website security (Think sites built with Joomla, Drupal etc). He wants to do lead generation in the following way:

    1. Run penetration / vulnerability checks on a bulk list of websites
    2. If there are serious vulnerabilities found, email the website owners a report and a quotation to fix.

    That's it, really.

    I had serious misgivings though - according to my initial preliminary research, penetration-testing websites you do not own is a crime in several countries, hence I've advised him to HOLD OFF until there is a definitive answer on this.

    So - what's the good word? Immoral? Unethical? Downright illegal?

    Does anyone have experience with this and is willing to contribute?

    *EDIT*: Fixed a typo
     
  2. I know SEO

    I know SEO Marketplace Mod Moderator

    Joined:
    Nov 29, 2012
    Messages:
    16,534
    Likes Received:
    6,184
    Probably not the best idea...

    You could use this:
    https://builtwith.com/

    Find websites that use pluggins/systems/themes with common vulnerabilities and contact them based on that?

    This way you don't actually have to hack anyone or do anything.
     
    • Thanks Thanks x 4
  3. Phobos

    Phobos Registered Member

    Joined:
    Apr 22, 2011
    Messages:
    94
    Likes Received:
    30
    @I know SEO exactly - that's where the list of websites will come from.

    Also an easy way to find websites with probable malware is playing around with site:www.newcompany.com (<insert illegal drug pill name here>)
     
  4. cherub

    cherub Regular Member

    Joined:
    Dec 18, 2006
    Messages:
    285
    Likes Received:
    123
    Gender:
    Male
    Occupation:
    Boss
    Location:
    UK
    As long as youre offering people help rather than trying to take advantage of vulnerabilites I see nothing wrong with it - good luck!
     
    • Thanks Thanks x 1
  5. Phobos

    Phobos Registered Member

    Joined:
    Apr 22, 2011
    Messages:
    94
    Likes Received:
    30
    Oh absolutely. This is all from the place of adding massive value to clients by making them aware of potential vulnerabilities - offering them a step by step list of actions they can take (or hire a VA for) - and then offer to "Do It For Them" for a sum of money.
     
  6. davids355

    davids355 Jr. VIP Jr. VIP

    Joined:
    Apr 25, 2011
    Messages:
    10,400
    Likes Received:
    8,103
    Really depends how you do it - if he successfully hacks in / uploads a payload or something then it's not a good idea probably legal and is going to be a bad start to a customer relationship - if someone called me and said hey I just hacked in to your website, I wouldn't hire them in a million years.

    However, if someone called me and said by the way, I noticed a few issues with your site - it seems like your install is out of date, and you are using a few insecure plugins, did you know that makes you susceptible to XYZ vulnerability?
     
    • Thanks Thanks x 3
  7. BrPimp

    BrPimp Newbie

    Joined:
    May 2, 2015
    Messages:
    47
    Likes Received:
    16
    Location:
    Brazil
    There is many ways of approaching a pentest. I think that if your friend make the reconnaissance of possible targets passively and without actively exploiting flaws he should be legally safe.
     
    • Thanks Thanks x 3
  8. Phobos

    Phobos Registered Member

    Joined:
    Apr 22, 2011
    Messages:
    94
    Likes Received:
    30

    Great points. Its about sending over the intention really clearly. And coming from a place of concern / offering value.
     
    • Thanks Thanks x 1
  9. Phobos

    Phobos Registered Member

    Joined:
    Apr 22, 2011
    Messages:
    94
    Likes Received:
    30
    Exactly, you nailed it. Small problem - a techy friend of mine said its virtually impossible to analyze a few specific points of attacks (he gave me the example of SQL injections) without actively harming the website - which is definitely illegal, according to everything I've read till date.
     
  10. BrPimp

    BrPimp Newbie

    Joined:
    May 2, 2015
    Messages:
    47
    Likes Received:
    16
    Location:
    Brazil
    Your friend sounds right, some flaws can't be found without actively exploiting the web application with active attacks like sql injection or xss and definitely breaking some laws.
     
  11. EagerToEarn

    EagerToEarn Regular Member

    Joined:
    Jun 4, 2017
    Messages:
    384
    Likes Received:
    96
    Gender:
    Male
    Some d*ckhead owner can take advantage of what your friend doing like blaming your friend for damaging website and stuff. So be careful.
     
  12. davids355

    davids355 Jr. VIP Jr. VIP

    Joined:
    Apr 25, 2011
    Messages:
    10,400
    Likes Received:
    8,103
    Exactly. And also being open and helpful - it's ok to send some details, enough that the prospect can see that you really know your stuff but hopefully then thinks - this is too complex for me to deal with I'll hire this guy because he seems like an expert.
     
  13. staypositive

    staypositive Jr. VIP Jr. VIP

    Joined:
    Jul 28, 2015
    Messages:
    993
    Likes Received:
    134
    Occupation:
    Hiring content writer & VA for links building, PM
    Your friend = You? haha

    do try anything that is risky mate theres many other method to get $
     
  14. SensualTyrannosaurus

    SensualTyrannosaurus Jr. VIP Jr. VIP

    Joined:
    Mar 19, 2015
    Messages:
    584
    Likes Received:
    831
    Occupation:
    Water Heater Troll (Couldn't find a bridge)
    Location:
    Basement
    Home Page:
    When you say "informing," does that mean you're going to put up a sales page on their homepage after you've successfully penetrated? :D
     
  15. pressrelease

    pressrelease Power Member

    Joined:
    Jan 6, 2016
    Messages:
    676
    Likes Received:
    241
    Location:
    Disneyland
    Bad business idea, as soon as you inform them they will contact the agency which is handling their website or their IT team, so basically you will be doing a charity. May be out of 100 you may find 2 or 3 actual conversions.
     
  16. Phobos

    Phobos Registered Member

    Joined:
    Apr 22, 2011
    Messages:
    94
    Likes Received:
    30
    My friend = my business partner haha

    Thank you for your reply - Yes, a huge majority of the websites will have their own IT people. Thankfully, that's the easy part - as their business partner I'm going to have my tech guy automate the process of finding vulnerabilities, creating a report, and emailing out to clients - a 2% or 3% conversion rate with close to no human effort involved works great for us. I'm just concerned about the legality of it all, and from my research its looking okay for now
     
  17. Themanhere

    Themanhere Junior Member

    Joined:
    Dec 14, 2012
    Messages:
    166
    Likes Received:
    77
    Home Page:
    Sounds like a solid idea, but if you want to make sure they actually pay instead of getting it fixed themselves, you should hit them with ransom-ware so only you can fix it. If you fancy trying your hand at real world marketing, go one step further and find out their home address - research is important at this stage, as you'll want to kidnap their favourite loved one. After 24 hours, they'll be begging to buy any service you have to offer, so send the customer to a squeeze page with you holding a gun in one hand and a timer in the other. I've been studying marketing psychology for a while, nothing pushes people to buy quite like the fear of loss coupled with a deadline. Make sure you fill the squeeze page with other customer testimonials so they know you mean business.

    On a serious note, so long as you don't damage anything (accidentally or otherwise), and simply point out vulnerabilities that require some level of expertise to fix (otherwise they'll just fix it themselves), then I can't see an issue. Although if you're contacting webmasters via email, you'll have to experiment with clever subjects / opening lines, as most will just assume they're phishing scams.
     
    • Thanks Thanks x 1
  18. bossofthebosses

    bossofthebosses Jr. VIP Jr. VIP

    Joined:
    Feb 7, 2015
    Messages:
    691
    Likes Received:
    282
    Another idea: Contact the web master first, offer him a free website check, if he agrees, get him to sign a document, where it will be written someplace that u will somehow try to do 'ethical hacking' bla bla and shits. Then do the test with his site and give him the report and offer your service.
     
    • Thanks Thanks x 1
  19. Phobos

    Phobos Registered Member

    Joined:
    Apr 22, 2011
    Messages:
    94
    Likes Received:
    30
    HAHAHAHAHAHA this made me laugh out loud - well played sir.

    >>>you'll have to experiment with clever subjects / opening lines

    Like the name of this thread? ;)

    Exactly, excellent. We were planning that as an upsell - they give us express written consent to do active penetration on their website (XSS, SQLi) and then charge upper 3 figures or 4 figures to fix. Our plan is to prospect ecommerce/email marketing businesses that we establish do enough business to justify these costs. All great points. Thank you for your incredibly useful input.
     
    • Thanks Thanks x 1
  20. pressrelease

    pressrelease Power Member

    Joined:
    Jan 6, 2016
    Messages:
    676
    Likes Received:
    241
    Location:
    Disneyland
    It seems ok, as you are not hacking but informing them there are a lot of firms doing same task namely norton, kaspersky eset all are testing vulnurablity at a point or.other even google tests site for vulnurablity , but dont forget to create a genuine looking business profile.
     
    • Thanks Thanks x 1