Latest Spam uses Yahoo! Profiles and Cheap Software prices to Capture Credit Card Data

For the last month (at least from my inbox perspective) spammers have been using the Yahoo! personal profile interface to send spam with cheap software offers (see image 1).

Image 1: Email with Yahoo profile reference (click to enlarge)

The ploy attempts redirect users to an authentic looking web site offer software at prices too good to be true (image 2). The IP address of the site can tracked to an IP address assigned in China and hosted on a server that includes over 400 other gambling and software commerce sites.

Image 2: Homepage of Web site offering to sell pirated software (click to enlarge)

Further navigation of the site reveals a checkout form with all the right images to lure the unsuspecting user to enter their credit card information and buy low priced software.  However, it should be obvious to most users who purchase anything on the Web that this site is a scheme to grab credit card data.  Although a secure connection symbol is shown, the form itself asks for credit card information over a non-SSL session. Also, the BBBOnline program (which no longer is operational) VISA, and TRUSTe seals do not provide a link for verification (image 3).

Image 3: Checkout form on false commerce site (click to enlarge)

I would hope that it is completely obvious to users with some internet experience that they should not trust this site or the method used to arrive at the site. However, given that it is relatively cheap to host hundreds of these sites using virtual servers and leverage Yahoo! to promote them, it probably only takes one uninformed user to justify this criminal approach.

- Vic

Ubiquitous “Cyberlocker” File Share Service Gets Fined

Rapidshare was fined $34M by a German Court as result of efforts by a music copyright watchdog group.  Although it's a hefty fine, one only wonders what it would have been if it included pirated software files. V.i. Labs piracy assessments reveal that Rapidshare is the file service of choice for distribution of high value and large applications.

If you are not familiar with the Rapidshare service, it is a one click file upload service that allows you to post and store any file to its site via a Web browser, API, or client uploader application. After the file is uploaded it returns a unique URL link. What makes the service attractive for sharing pirated content is that it allows users to upload individual files up to 200MB and provides unrestricted access to users downloading these files as long as they know the link. The way the service makes money is by selling improved download bandwidth.

Although you can download any file for free, the process is slower than if you have a premium link. But for $80 a year you can download 25 GB and share up to 5 GB using a speedier download process (said to 100 MBit/s in certain areas). This easy to access service has seen tremendous growth in usage and in October 2008 it claimed to have hosted 160 million files. In addition, they announced in April 2008 that they had 240 gigabit/s of Internet connectivity and 5.4 petabytes of storage for users. With this level of capacity, Rapidshare is essentially a public Piracy top site (top sites are exclusive file servers used by the piracy scene to distributed pirated content).

From our research and customer piracy assessments Rapidshare appears to be the favored service for large software applications, but it is not the only one and there are over hundred of these file sharing services.

It’s unlikely that with it current service architecture that Rapidshare can be required to filter or constrain what content is on its servers. The files can be obfuscated and protected before upload. Rapidshare does offer a process to remove links via its API if organizations can prove the links point to pirated material, but the sheer number of files/links make this an unrealistic enforcement option. Even if you could control pirated content on Rapidshare, you would still face the same issues and challenges on hundreds of other similar file hosting services.

- Vic

Fighting Piracy on the High Seas: Offense vs. Defense

My colleague, Vic DeMarines, will be speaking on a panel at DAC (Design Automation Conference) on Tuesday, July 28. The panel, Fighting Piracy on the High Seas: Offense vs. Defense, is going to be led by the EDA Consortium's anti-piracy chairman Scott Baeder. EDAC has put together a fun video promoting the panel - check it out!

- Michael

Forbes: The Inevitability Of Internet Pirates

Andy Kessler has an interesting commentary on piracy on Forbes.com titled, "The Inevitability Of Internet Pirates."

While he focuses mostly on "music, TV shows, movies and, as it's known on the Web, pr0n," his comments apply to pirated software as well (emphasis added):

"Like it or not, the Web is and will remain the Wild West....Plus, it is so easy to create a Web service to download copyrighted material that, like that arcade game Whac-A-Mole, if you take one culprit down with your mallet another five pop up in the next few nanoseconds. Sad but true, there is not much anyone can do."

The availability of pointers to pirated materials on Pirate Bay (or even Google) enable piracy - they make it too easy to find and download software and copyrighted content. Kessler offers an alternative approach that we agree with and have been advocating as well: new business models.

"So make all the legal arguments you want. No matter what court decisions are rendered and no matter what laws are passed, copyright infringement is going to happen. So these folks should stop suing their customers and lobbying for more laws and instead come up with new business models that pirates can't follow them into."

While the examples he cites relate more to copyrighted content than software, it is crucial for software vendors to consider new business models for recovering revenue lost to pirated use. In the case of software vendors that can sometimes mean pursuing legal channels to recover revenue from the businesses that are actually using unlicensed applications - but first you have to be able to identify who those businesses are. Regular readers of Code Confidential will recall that we are proponents of piracy business intelligence as a means of identifying these businesses.

Once a vendor has this information, it can decide on the best approach - whether it is direct sales or legal contact with an infringing organization, building partnerships in a given region or industry, or an altogether new business model for addressing the issue.

- Michael

Wall Street Journal: Firm Alleges Code Theft in Web Filter

This article in the Wall Street Journal illustrates the paradox that exists with doing business in China. On the one hand, their weak enforcement of intellectual property (IP) rights has resulted in high piracy rates for years with numerous examples of reverse engineering cases, but on the other hand, China is a tremendous business opportunity for U.S. software vendors that cannot be ignored.

 The numbers illustrate these issue:

• There are an estimated 15,000 software vendors in China
• China graduates more than 100,000 programmers each year (NPR)
• Packaged software revenues in China are expected to exceed $9B (Gartner)

Software developers and vendors should be worried about their software IP in China. Software protection or tracking usage through piracy business intelligence approaches may give vendors a way to proceed with caution when there is valuable software IP at stake.

- Vic

eWeek - How to Combat Software Piracy: From Reaction to Revenue Recovery

My fellow blogger, Vic, wrote an article for eWeek's Knowledge Center:

"As someone who has spent a lot of time discussing piracy with the ISV community and researching the piracy scene, I believe what a software vendor does to combat piracy is directly proportional to its knowledge of the piracy scene motivations and its own piracy activity trends. In fact, you can group how software vendors respond to piracy into three stages: Denial, Reaction and Realization.

Let's explore each of these stages in some detail..."

Read the whole article here and if you like it, please Digg it!

- Michael

InishTech and Microsoft Software Licensing and Protection Service

Microsoft has finally spun off their Software Licensing and Protection Services (SLPS) technology:

"In a connected world, software developers of all kinds need the ability to protect their code, license their software, and track the performance and profitability of their products. To fill that need, a new Irish company called InishTech is embarking on a worldwide business venture using software protection and licensing technology developed by Microsoft."

This technology was based on an earlier acquisition of Israel based Secure Dimensions SecureLM technology. You can read more about the history of SLPS here. Late last year, Microsoft announced that no new customer orders would be accepted and then we later heard through the grapevine that most of the Microsoft SLPS team would move on. This was part of a larger reduction in force and streamlining effort going at Microsoft. When I spoke with one of the former SLPS product leads in April, he expressed how difficult it was to integrate into the Microsoft ecosystem and in many ways they were like any other independent vendor trying to partner with Microsoft.

From a V.i. Labs perspective, SLPS is a licensing system, and as we do for customers using Acresso, IBM, Nalpeiron, Reprise Software, SafeNet, and Uniloc, we offer value on top of SLPS to protect sensitive IP within .NET applications and provide Piracy Business Intelligence: 

• IP protection - While there is overlap with the SLPS code protection component, CodeArmor Software Protection for .NET offers a more scalable protection for whole assemblies. The SLPS protection technology is best focused on license methods because its virtualization technology is performance intensive.
• Piracy business intelligence – Provides piracy detection and reporting functionality that is embedded within the application operates separately from licensing to help ISV’s recover revenue from unlicensed use.

So I think it's great news that SLPS has a home and can operate independently - software developers/vendors need more options for software licensing for their .NET applications. One thing I hope that improves with the spinoff is the positioning of the solution. Microsoft had marketed this as an anti-piracy solution, a position that I considered not current or accurate. Many of the legacy licensing players have evolved their positioning based on customer reaction and focused their solutions on overuse and compliance.

Essentially, they made sure that their sales people were not positioning licensing as protecting against or combating “overt” piracy – piracy enabled via reverse engineering. SLPS in no different and although their code protection is innovative, it should be positioned as a way to harden the license functions' resistance to tampering and not a solution for stopping piracy.

- Vic

Report from Mass Technology Leadership Council's unConference

A few of us from V.i. Labs attended the Mass Technology Leadership Council's spring unConference this past Friday.

If you're unfamiliar with an "unConference," MassTLC defined it as, "a facilitated, face-to-face, and participant-driven conference centered around a theme or purpose, in this case, the future of software and the Internet." We proposed and facilitated a session on "Brainstorming New Strategies for Growing License Revenue in this Economy."

We had about 15 people in the session with folks from software vendors and (interestingly) law firms. Here are some of the ideas that we discussed (the first two came from us):

• Find ways to identify "customers" you don't know about (businesses that were overtly pirating your software)
• Identify the customers you do know about, but that aren't paying you what they should be (businesses that are exceeding the number of licenses they've paid for)
• Use flexible licensing - make it easy to buy the way customers want to buy (features-based licensing to drive increased use)
• Change your packaging model to let customers adopt features that would otherwise have seemed cost prohibitive - "pick and choose" features
• Adopt "super aggressive" software release cycles - continue to push new features to customers
• Use social networking/social media to enable your user community to vote on new features and announce these new features in a very visible way

As an aside, I was interested to hear one of the attorneys note that "attorneys are among the bluntest and most expensive implements available" when it came to growing license revenue from piracy. The attorney noted that it is "rare that it makes sense to sue people" and that threshold for deciding to pursue a case was around the $2 million mark.

All in all, the whole unConference was a great experience with great people sharing ideas and experiences they are clearly passionate about. We'd love to hear from other attendees in the comments - let us know if you were in our session and what you thought!

- Michael

Live Webinar with former Microsoft Director of Worldwide Anti-piracy Investigations Richard LaMagna

We're excited for our June 18 live webinar with Rich LaMagna, former Microsoft Director of Worldwide Anti-Piracy Investigations. Please join us and learn about the best practices for building an anti-piracy program to identify and recover revenue from businesses using unlicensed software.

In the meantime, be sure to check out Rich's recent article in the May issue of Security Management!

- Michael