I received the following AIM message a little while ago:

Curious, I responded back to Qtpiegirl8394. Here’s the transcript:

Qtpiegirl8394: let me know when you have your username

I thought this was pretty well done for several reasons:

• Most of the AIM spam I get is a simple “Hey click here to chat with hot girlz”, which is easy to identify as spam. With this, I got an IM from an official-sounding screenname (TMorganDirector), which asked me to contact another screenname due to technical difficulties.  Had it not been for the disparity in screennames (TMorganDirector vs Qtpiegirl8394), it would have been hard to tell this even was spam.
• The bot, which asks me whether I am a bot, seemed to keep track of where we were in the conversation. It starts out with a hello, who is this, and little by little leads me towards the webcam site. Most of the responses are generic enough that they work regardless of what I am actually saying. For example, it said “who is this again?” I said “you sent me an IM” and it said “oh yeah!”, but it probably would have said “oh yeah!” regardless of what I actually said because it knew it had just asked me that question.
• It also analyzed what I was saying because when I asked “are you real?” it responded “i’m as real as they come 100% live in the flesh”. Pretty good.
• The URL that it gave me contains her screen name (good), but then directs me to a generic looking webcam site (you can replace her name in the URL and it still redirects to the same page). They’d probably do a lot better linking me to something that looks like a profile page that contains a picture of a beautiful woman, her screen name (taken from the URL), and a big green “Chat now!” button at the top of the page. They could even embed a video with a girl saying “Hello? Can you hear me?” which would fool a lot of people.
• Another complaint is that it kept responding back to me even when I wasn’t saying anything (such as the “what? I’m definitely real I hate fakes” at the beginning). The whole “i’m sorry i get forgetful who is this again?” is a big red flag too since she allegedly just IM’d me–I wonder why the programmer included that.

Not bad though.

I bet the conversation rates on this method blow the direct-spam rates out of the water. They could do a lot better still with some calculating A/B tests.

The illusive fluid-fixed layout has the following properties:

• One column that expands to fill the screen
• A second column that has a fixed width to the right of the expanding column

I rarely remember the CSS syntax to do this, so I’m posting it here both as a reference for myself as well as for anyone else looking for a solution.

Screenshot:

Code:

<html>
<head>
	<title>Fixed-Fluid Example</title>
	<style type="text/css">

		body {
			color: white;
		}

		#wrapper {
			float: left;
			width: 100%;
		}

		#fluid {
			background-color: #336699;
			margin-right: 200px;
		}

		#right-col {
			background-color: #bd2115;
			width: 200px;
			float: right;
			margin-left: -100%;
		}

		.padded-content {
			padding: 5px;
		}

	</style>
</head>
<body>
	<div id="wrapper">
		<div id="fluid">
			<div class="padded-content">Fluid</div>
		</div>
	</div>
	<div id="right-col">
		<div class="padded-content">Fixed at 200px</div>
	</div>
</body>

About ten years ago, around 2000, an online gaming company named iWin launched. The premise was simple: when you played their online games you earned iCoins, which you could then exchange for prizes. It was kind of like exchanging tickets at an arcade for prizes, except that you didn’t have to pay iWin to play and their prizes were excellent: MP3 players, VCRs, gift certificates, etc. The only downside was that as you played the games on their website, a large ad banner appeared below the game, which is how they made their money.

At the time I was working on AOL-Files.com, a community of hackers dedicated to finding and exploting holes in the America Online service. A large part of what we did was pick at and probe the AOL software, hoping to find a vulnerability which would enable us to do things we werent supposed to do. When iWin launched, it became a popular target for a lot of the community because of the prizes it offered.

Breaking iWin

The first thing we noticed was that iWin rewarded you for referring other people to their site. Whenever you signed up it asked you for the user name of whoever told you about the site and then that person got something like 25 iCoins automatically. iWin didn’t employ a CAPTCHA, so it was incredibly easy to automate the registration process. We created bots that would sit there for hours and create accounts, all using the same referrer, which was our legitimate account. We quickly earned a massive amount of iCoins this way. (Note that this would have been relatively easy to mitigate by adding a CAPTCHA or not rewarding the referral bonus until the new user had played a certain number of games, which couldn’t be automated).

Eventually someone discovered a far easier way to accumulate iCoins. There was a page on the site that required you to type in how much you spend on an item. So, for example, the page would show a product and it would say that it cost 2,500 iCoins. You’d type in 2,500 into a text box, hit submit, and the 2,500 would be deducted from your account balance. If your original balance was 10,000 iCoins, iWin would recalculate your balance like so:

10,000 - 2,500 = 7,500

Well, someone figured that iWin didn’t check to make sure you were using positive numbers so if you entered a negative number, iWin would still try to subtract it from your balance:

10,000 - -2,500 = 12,500

And just like that, people could add thousands of iCoins by simply entering a negative number into that form.

Later, someone else figured out a URL that you could go to which would let you specify how many iCoins you wanted to add to your account. With one click, you could go from 250 iCoins to 2,500,000,000 iCoins (though that would have been a bit suspicious).

Their security was so poor that you couldn’t help but feel bad for them. They had a winners page which listed all of the recent winners and what they had won. Some spammers figured out that if you signed up with an account name like:

<h1><a href="http://www.spam.com">Click here!</a></h1>

Then the winners page would display the link which implies that 1) the user name was not validated at the registration step and 2) it wasn’t escaped prior to display on the winners page.

As you can imagine, these exploits didn’t last very long. iWin quickly fixed most of the vulnerabilities that we had taken advantage of. They also switch to an auction-only system so that you could not purchase a prize directly with iCoins; instead you could use your iCoins to buy raffle tickets for an item, which made it a lot harder to beat.

At this point you might be wondering how iWin ever expected to make money off of their originally business model. I wondered that for a long time too.

Here’s what I think: iCoins were very hard to accumulate legitimately. The games didn’t reward many iCoins and you’d probably have to play hundreds of hours to earn enough to purchase a decent prize. Most people probably quit long before they ever earned enough to get anything. In the mean time, the users had spent a lot of time playing the games and viewing the ads. Someone probably calculated that something like 95% of the players would never earn enough to win a prize and for those that did, the amount iWin earned in ad revenue would far surpass the amount they had to pay out in prizes.

Final Thoughts

I was 14 at the time. Looking back, I’m proud that we were clever enough to figure out how to break iWin, but I’m not happy that we actually went through with it. What we did was equivalent to stealing from Best Buy because the locks were broken.

It may have seemed victimless at the time, but someone was losing money because of what we were doing. Just because you’re smart enough to do something doesn’t mean you should.

From the archives:

Make sure you read the conversation in the chat box.

(Courtesy of 2+2)