Meatpuppet farming: the (dark) grey-hat global freelance job market

Paul Raven @ 19-07-2011

Compsec maven Brian Krebs rakes over the findings of University of California, San Diego research report into the online market for what I like to call meatpuppets: cheap human labour-on-the-web that gets leveraged for bypassing the security systems that are supposed to stop automated spammers.

“The availability of this on-demand, for-hire contract market to do just about anything you can think of means it’s very easy for people to innovate around new scams,” said Stefan Savage, a UCSD computer science professor and co-author of the study.

The UCSD team examined almost seven years worth of data from, a popular marketplace for those looking for work. They found that 65-70 percent of the 84,000+ jobs offered for bidding during that time appeared to be for legitimate work such online content creation and Web programming. The remainder centered around four classes of what they termed “dirty” jobs, such as account registration and verification, social network linking (buying friends and followers), search engine optimization, and ad posting and bulk mailing.

“Though not widely appreciated, today there are vibrant markets for such abuse-oriented services,’” the researchers wrote. “In a matter of minutes, one can buy a thousand phone-verified Gmail accounts for $300, or a thousand Facebook ‘friends’ for $26 – all provided using extensive manual labor.”

The evolving marketplace is best illustrated by the market for services that mass-solve CAPTCHAs — those agglomerations of squiggly numbers and letters that webmail providers and forums frequently require users to input before approving new accounts. The researchers found that the market for CAPTCHA-solving was fostered on freelancer, but quickly expanded into custom markets when the model proved profitable on a large scale. Today, there are plenty of commercial services that pay pennies per day to low-wage workers in India and Eastern Europe to solve these puzzles for people wanting to create huge numbers of accounts at one time.

It’s interesting to see massive crowds of human labour getting rolled quite effectively into these vast and largely automated systems: the darkside equivalent of Amazon’s Mechanical Turk, with a smattering of Matrix metaphors on the side. But those digital peons are just trying to make a living, and when you look at the prices being charged for Twitter followers by the thousand and factor in the significant cut being taken by the service aggregators, you realise that they’re probably not making much more than sweatshop wages. Which means that until the massive differential in income between developed and developing nations gets narrower, web security procedures will always be subject to this sort of outsourced brute-forcing. Shorter version: spam ain’t going anywhere anytime soon.

The irony of having blocked five fake Twitter accounts in the time it took me to write this post is palpable. Death, taxes, noise*, spam.

[ * Anyone who’s worked in the recording or music industries will tell you that noise is the third certainty of life. As, I suspect, will anyone who has lived in a block of flats. ]

Re-skinning the city – the dark side of augmented reality

Paul Raven @ 19-01-2010

As augmented reality becomes the latest tech buzz-phrase to excite the more mainstream media outlets, it’s interesting to watch people coming to similar conclusions by very different routes.

For instance, here’s nigh-legendary grumpy Brit television critic Charlie Brooker riffing on the not-so-egalitarian potential of augmented reality technologies:

Years ago, I had an idea for a futuristic pair of goggles that visually transformed homeless people into lovable animated cartoon characters. Instead of being confronted by the conscience-pricking sight of an abandoned heroin addict shivering themselves to sleep in a shop doorway, the rich city-dweller wearing the goggles would see Daffy Duck snoozing dreamily in a hammock. London would be transformed into something out of Who Framed Roger Rabbit.

What’s more, the goggles could be adapted to suit whichever level of poverty you wanted to ignore: by simply twisting a dial, you could replace not just the homeless but anyone who receives benefits, or wears cheap clothes, or has a regional accent, or watches ITV, and so on, right up the scale until it had obliterated all but the most grandiose royals.

At the time this seemed like a sick, far-off fantasy. By 2013, it’ll be just another customisable application you can download to your iBlinkers for 49p, alongside one that turns your friends into supermodels and your enemies into dormice.

Beneath the snark, Brooker is pointing out that we already have a tendency to filter reality so that we only see the bits we want to – confirmation bias at work, in other words. Once the hardware is cheap and powerful enough to achieve iPhone-ish levels of market penetration, software that works in the way he’s describing above is not just possible but plausible. And as nice as it is to think that you’d not be tempted yourself, I suspect we all would be to some degree… try inverting the class dynamic of Brooker’s prediction, for instance. [image by gwdexter]

So, reality filters are inevitable… but experience dictates that where commerce, culture and technology meet up, things rarely remain in stasis. Enter new Futurismic columnist Tim Maly, who opines that the perpetually escalating arms race between spammers and filter-builders may be the one thing that fends off the hyper-Balkanised culture that so terrifies commentators like Brooker:

The trajectory assumed is of increasingly powerful and impregnable filters. If that trajectory holds, then one expects an increasingly balkanized culture, full of isolated groups that think they have nothing in common. But there’s a second set of actors in play, the ones being filtered out.

As the first group works harder to filter out unwanted messages, the second works harder to break through. We see it in the arms race around advertising. We see it in politicians struggling to find new ways of reaching their audience. We see it in Google’s need to constantly change and update their pagerank algorithms as black hat SEOs learn to game the system.

So long as the arms race continues, the filters will get better without becoming perfect. And in those cracks, reality (or at least an alternate viewpoint) can intrude. Insofar as we believe that people can’t know in advance what is best for them or what information they should receive, we should celebrate inefficiencies in filters.

In every successfully delivered spam message, there is a ray of hope.

Spam as a ray of hope… who knew? There’ll be more from Tim in his first proper column tomorrow, by the way. 🙂

Gross $4,000 a day with Viagra spam

Paul Raven @ 29-09-2009

Ever wonder why the flood of emails plugging funny-shaped blue pills for gentlemen shows no sign of relenting? The simple answer is that enough people keep clicking on them to make it an extremely lucrative business – according to Ars Technica, a detailed trawl of sales ledgers reveals that pharmaceutical affiliate spam networks can pull in $4,000 a day of orders:

Samosseiko discovered a wide-open PHP backend to GlavMed that contained evidence that the company is indeed set up to benefit largely from spammers. This involves e-commerce software for spammers to launch their own GlavMed copies or to simply set up domains that redirect to GlavMed. Additionally, some of the documents Samosseiko discovered were sales records, giving a glimpse into the purchasing behavior of GlavMed’s targets.

According to the sales records from GlavMed, there were apparently more than 20 purchases per day per spam campaign, with GlavMed claiming a 40 percent commission on each sale. With an average purchase of around $200, that adds up to over $4,000 total per day per campaign (or $1,600 for GlavMed).

Those are the sort of figures that would make even the most moral code-monkey think hard about trading in their sysadmin cubicle for the easy life. It’s abundantly clear that no amount of effort is ever going to stop people clicking on spam emails, and while the market is willing to line people’s pockets to the tune of hundreds of dollars a day they’re not going to stop coming… all the while funding other organisations with more nefarious aims and purposes.

This also highlights the problem with nation-states in a networked world restricting certain products and services to their citizens, as recent adventures in attempting to restrict online gambling sites has demonstrated. As geography continues its slide into irrelevance, attempting to ban something that’s openly available anywhere else in the world becomes an exercise in bombastic futility that does little beyond undermining your credibility and authority.

Perhaps opening up legal avenues for the purchase of the more popular and controversial pharmaceuticals is the answer? After all, serious thought is being given to relaxing prohibition on more dangerous drugs as it becomes clear that their restricted availability plays into the hands of criminals… why not make the drugs safer for consumers by controlling quality and distribution, and hobble an easy income stream for the underworld?

That said, there’ll always be something that people want to buy but can’t; I guess it’d be a case of finding where the tipping point between easy profits and risk of operation is. Then all we’ll be left with are dodgy refinancing offers and invitations to see fallen pop stars in the buff…

So, how long is it going to be before I have to lock the comments on this post to block the flood of pingbacks? Place your bets, ladies and gents, place your bets…

Spam: good food for growing AIs

Paul Raven @ 21-04-2009

wall of SpamIf you’ve been groaning in terror at the seemingly ever-growing contents of your spam folder, here’s a silver lining to the internet’s perennial plague – the ever-increasing ability of spambots to solve CAPTCHA puzzles may end up advancing the cause of artificial intelligence research. You see, it turns out that crime actually does pay:

“[von Ahn, inventer of the reCAPTCHA test] has seen bounties as high as $500,000 offered for software to break it – enough to attract people with the skills to the task and five times more than the Loebner Grand Prize offers to the programmer who designs a computer that can truly pass the Turing test.

The demise of reCAPTCHA could, however, be beneficial.

It has users decode distorted text taken from historic books and newspapers that is beyond the ability of optical character recognition (OCR) software to digitise. Humans who fill in a reCAPTCHA are helping translate those books, and spam software could do the same.

“If [the spammers] are really able to write a programme to read distorted text, great – they have solved an AI problem,” says von Ahn. The criminal underworld has created a kind of X prize for OCR.

That bonus for artificial intelligence will come at no more than a short-term cost for security groups. They can simply switch for an alternative CAPTCHA system – based on images, for example – presenting the eager spamming community with a new AI problem to crack.

Indeed, it appears that the Google gang are doing exactly that:

“… the Google researchers were apparently able to come up with the new technique simply by looking into areas that computer scientists had identified as being problematic for computer-based solutions.

They apparently came up with image orientation. Humans can apparently properly orient a variety of images so that the vertical axis matches the real-world orientation of the photograph’s subject; computers can only handle a subset of these. […]

The basic idea behind their scheme is that any functional system will first have to eliminate any images that an automated system is likely to handle properly, as well as any that are difficult for humans to orient. So, for example, computers are good at recognizing things like faces in group shots, as well as horizons in landscape scenes, both of which provide sufficient information to orient the image. In other cases, the image doesn’t have enough information for either humans or computers to properly sort things out—the paper uses the example of a guitar on a featureless background, which could be oriented horizontally, vertically, or in the angled position from which it’s typically played.”

I wonder if there’ll ever be an end to this particular arms race? And, if there is, will it be heralded by the arrival of the Canned Ham Singularity? [image by freezelight]

Spam ubiquity – even your Lexus is no haven

Paul Raven @ 13-01-2009

Lexus concept carOnce again, the physical space in which you can expect (or even hope) to avoid being relentlessly marketed at contracts in a dying spasm… that’s right, not even your car is a scared space any more, as
Lexus has announced plans to send targeted messages to owners of its cars based on the buyer’s zip code and vehicle type. Knowing how dependent on customer goodwill the luxury car brands are, I’ll be very surprised if this plan actually makes it to market. [via SlashDot]; image by SecondPrint Productions]

Speaking of spam, computer security researchers in Germany reckon they’ve found a serious chink in the Storm botnet’s armour that means it’s nowhere near as impregnable as previously thought. So why haven’t they smashed it up like a box of cheap crockery, then?

The team has not yet taken the final step of putting the whole thing into action with a genuine Storm Worm botnet in the wild. From a legal point of view, that could involve many problems. Any unauthorised access to third-party computers could be regarded as tampering with data, which is punishable under paragraph § 303a of the German Penal Code. That paragraph threatens up to two years’ imprisonment for unlawfully deleting, suppressing, making unusable or changing third-party data.

Oh, the irony. [also via SlashDot]

Next Page »