porn, economics, and security (but mostly porn)

As we all know, the Internet is a series of tubes invented by Al Gore to allow us to exchange cute cat pictures and pornography. This past week, a paper presented at the Ninth Workshop on the Economics of Information Security provided some really interesting insight into both the economics of the Internet pornography industry and more importantly, how those economics translate into security considerations.

The research in question was conducted by a team of researchers from the Technical University of Vienna, Institute Eurecom, and UC Santa Barbara.  A brief digression here… if I had been informed that conducting studies of Internet porn was an option, I definitely would have finished college and gone into academia.  We should let kids know about this so that they stay in school!

Any-who… Our lucky, lucky, research team found that pornography accounts for 12% of web pages on the Internet and that the porn industry was worth over $97 billion in 2006.   For some perspective, this is more than the combined revenues of Microsoft, Google, Apple, Amazon, eBay and Yahoo! Combined.  And this is in spite of the absolute torrent of free porno to be found on the net.  (Or so I have been told.)

Much of the paper was devoted to describing just how the porno ecosystem can be so lucrative.  My interest, though was purely from a security perspective…

Researchers found that 3.23 percent of the adult web site pages they examined “were found to trigger malicious behavior such as code execution, registry changes, or executable down- loads.”  However, many of the evil pages show signs that their malware payloads were the results of hackers compromising the adult sites.  In these cases, it would seem that the attackers are taking advantage of the high traffic rates to expose their ‘sploits to the largest possible audience.

The researchers then went a step further, actually setting up two adult web sites and registering with affiliate programs and traffic brokers to lure unwary pornophiles to participate in their research (although no perverts were harmed in the course of the study.)  These sites were configured to collect information about their visitors’ computers, noting browser and plug in versions as well as performing specific checks for vulnerable plugins used to handle Word and PDF documents.  The researchers then bought 49,000 visitors from the traffic brokers (for about USD 160) and analyzed their visitors.  Of the 49,000 visitors, the researchers were able to build complete browser profiles for just under half.  After further analysis, just over 20,000 of the visitors were found to have one or more of the vulnerabilities that the researchers were scanning for.  Almost 6,000 users had multiple vulnerabilities.

Now in this case, no malware was installed on the unwitting experiment participants, but had the researchers had nefarious intent in mind, they could have put together a 20,000 node botnet for just a couple of hundred dollars.  (Actually, they could have offset their costs by installing other ad/spy/scareware on their prey.)

The take aways?  First, this was an excellent, enlightening and engrossing paper which I highly recommend reading – the economics of Internet porn really interesting.  Second, surfing porn does pose a small but non zero risk – one which was significantly higher than shown in previous research.  There is not enough data here to show a trend of increasing risk, but it would make sense, given the cost effectiveness of porn as a malware vector, that cybercriminals would increasingly look to this method of building botnets.

Now if you’ll excuse me, I have some research, yeah, research to attend to…

Leave a Reply