Author Topic: Istock is hacked? (Read 19475 times)

JPSDK · « **Reply #25 on:** November 29, 2012, 19:28 »

Good and valid perspective, Karen.

gostwyck · « **Reply #26 on:** November 29, 2012, 19:38 »

Quote from: KarenH on November 29, 2012, 18:56

Quote from: ShadySue on November 29, 2012, 18:11
Re that site, from the contributer newsletter:
"Our legal team continues to investigate this matter and we will keep you updated. That being said, please consider this a reminder to guard your iStockphoto credentials carefully. Do not use your iStock log in details at any other sites, and consider changing your passwords from time to time.

And while we’re on the topic of fraud, let’s talk about refunds. There is a lot of discussion in the forums about refunds at iStockphoto being “higher than normal” due to credit card fraud. This is simply not the case. We have a very robust set of fraud detection systems in place, and, in fact, our credit card fraud rates are below the standards set by the credit card companies."
I'm one of them who used their $2 promotion to buy an XS of my own -- a newly uploaded file, in my portfolio for one day, no views. MyUploads, open in another window at the time, immediately showed a download of an XL, the largest size available for me. iStock was notified. I haven't seen a refund yet. This was 11 days ago. My purchase from istockreseller was done in an incognito window, with no cookies or caching or history or IP information going to them, with a throw-away account that has no connection to my real name or email address. They have no paypal info or credit card info from me, and I've received no other emails from them or anyone else (which frankly surprised me, as I expected a boatload of spam). The downloaded file went immediately into the trash without being opened (who knows what they might have embedded in them).

With several people doing this now and providing all the detail to iStock (and one would assume iStock would be doing this to, to track the payer of these), I question the "very robust set of fraud detection systems". Someone is paying for these large size purchases from iStock. I still believe that if this happened to Amazon or BestBuy or your bank, this would not still be going on almost a month after first being reported. Can it be that difficult to track where it's coming from when they get paid for these?

I understand some of the responses and Sean's blog post -- no, the site probably hasn't been "hacked" -- but someone is getting our images. This is taking the fun out of getting downloads, because now I instantly wonder if they are legitimate, and if I will find myself going into the hole after the next payout (I also don't understand the time delay for the refunds).

^^^ Brilliant post Karen, thanks for sharing your experience. I really, really don't understand what is actually going on here.

leaf · « **Reply #27 on:** November 29, 2012, 23:32 »

Perhaps iStock is preparing some legal action and need to lay low while they do so. that would explain the deleted threads.
One can hope.

RacePhoto · « **Reply #28 on:** November 29, 2012, 23:58 »

Quote from: leaf on November 29, 2012, 23:32

Perhaps iStock is preparing some legal action and need to lay low while they do so. that would explain the deleted threads.
One can hope.

Perhaps the scam site is doing the same thing, collecting information until they get shut down and then going to pillage and plunder with all the information they have gathered.

B8 · « **Reply #29 on:** November 30, 2012, 00:36 »

Quote from: jsnover on November 29, 2012, 13:21

Read this blog post from Sean with more on this. As far as I know from the photographers who downloaded their own photos with the $2 credit (and reported those file numbers via Sean to iStock) no refunds yet.

Not sure why it's taking so long for iStock to shut them down.

According to that blog post you linked, it says the site is hosted on Host Gator and that the Domain Name Server is located in Vietnam.

I pinged the site and the IP address I got for the site is 108.162.195.57

I looked up this IP address and this IP resolves to a site owned by a company called CloudFlare Inc. which uses the domain name cloudflare.com

A WhoIs search on the istockreseller.com domain name also points to cloudflare.com being the DNS, as well as being the host server for the istockreseller.com web site. The DNS for istockreseller.com are as follows, which are subdomains on the cloudflare.com domain name:

IGOR.NS.CLOUDFLARE.COM
KAY.NS.CLOUDFLARE.COM

According to a WhoIs search on the cloudflare.com domain, the company name, address, and phone number are as follows:

CloudFlare, Inc.
665 Third Street
Suite 207
San Francisco, CA 94107
US
650.319.8930 fax: 650.230.7173

Under the WhoIs listing for cloudflare.com it shows cloudflare.com domain uses the following Domain servers:

DNS2.CLOUDFLARE.COM 173.245.58.99
DNS3.CLOUDFLARE.COM 173.245.59.99

I further looked up the details on the 173.245.58.99 IP address listed for the above cloudflare.com domain name servers and they list the following contact information for reporting abuse on this IP address:

+1-650-319-8930
abuse @ cloudflare.com

As a result, I don't see anything pointing to Host Gator or Vietnam with regards to the istockreseller.com domain name or hosting of the site and it seems both the domain name and the site are being hosted in the USA.

fotoVoyager · « **Reply #30 on:** November 30, 2012, 05:27 »

Good work! Let's hope it helps.

drd · « **Reply #31 on:** November 30, 2012, 05:39 »

Thanks for looking it up. If they are hosted on cloudfare, it should be easy to shut their website down in one single step with a call from istock.

bokehgal · « **Reply #32 on:** November 30, 2012, 05:43 »

I think all of us should write an email to CloudFlare, which looks like a legitimate company, and tell them they are hosting a fraud site that is selling illegal copyrighted content.

If we all flood CloudFlare's abuse box with threatening emails I can imagine the site with be taken down in less than 24 hours.

We should also send emails to GoDaddy informing them they have registered a domain for someone that is using it to commit fraud.

Hopefully GoDaddy will lock the domain soon as well.

My emails are already sent to both entities already. The more the better though. Please join the effort and send emails as well.

If we can get this domain locked and the site taken down then its game over for these fraudsters.

Obviously whatever efforts iStock has made to take the site down has been unsuccessful so far as the site is still up and running as of now. If you want to protect your work then I think you should all make a joint effort to get the site taken down as soon as possible.

leaf · « **Reply #33 on:** November 30, 2012, 05:51 »

cloudflare is more of a CDN (content delivery network) than a host. Cloudflare resolves the DNS queries but then forwards it onto the 'real' host.

MicrostockGroup is also 'hosted' on cloudflare if you look up the nameservers, but again it is just used as a CDN while the real web host is WireTree

Here's a cloudflare info vid


CloudFlare. Supercharges your Website in Less than Five Minutes.

bokehgal · « **Reply #34 on:** November 30, 2012, 06:06 »

If thats the case I still think they would have an interest in discontinuing service to a site that is using their service for fraud. Godaddy should also be interested in locking the domain for the same reason.

How else can we find out then where the site is actually being hosted?

iStop · « **Reply #35 on:** November 30, 2012, 06:45 »

I've spoken with an internet security expert about how this illegal site is possibly obtaining iStock content.

It seems the most plausible answer is that the people behind this illegal site have obtained an illegitimate API access key somehow which allows them to get access to any contributor content they want on the iStock site for free.

It would seem iStock is aware of this, but hasn't been able to shut down their API access key or it wouldn't continue to go on.

So it seems the security of the iStock site has been broken and that is how this illegal site is able to supply iStock content to whoever tries to buy it from istockreseller.com

In addition, their API key also appears to allow them to add a credit to the contributor's account crediting them for the download/sale without ever making an actual payment to iStock for the content downloaded by the illegal reseller site.

As a result, this site sounds like some sort of group that is trying harm iStock and resell iStock content without harming its contributors.

fotografer · « **Reply #36 on:** November 30, 2012, 06:53 »

Quote from: iStop on November 30, 2012, 06:45

As a result, this site sounds like some sort of group that is trying harm iStock and resell iStock content without harming its contributors.

That makes sense. I just couldn't see why they would bother paying money or even making it look as if they were paying money.

bokehgal · « **Reply #37 on:** November 30, 2012, 07:02 »

That does sound like a very real and possible scenario.

It may also be that when the istockreseller site downloads the content that the iStock site automatically credits the contributor for the download as if it is a legitimate sale.

So the illegal site isn't necessarily trying to directly credit or protect the contributors. It is just what happens automatically on the iStock site when the file is downloaded.

If that's the case then contributors aren't actually losing sales to this site at the moment, but contributor content is being stolen nonetheless and everyone will be in for a big load of chargebacks at some point.

I guess rather than downloading millions of files from iStock all at once, the illegal site just does it one file at a time whenever a purchase is made by a buyer via the illegal reseller site in order to make it more difficult for iStock to track.

Sean Locke Photography · « **Reply #38 on:** November 30, 2012, 07:37 »

Quote from: iStop on November 30, 2012, 06:45

It seems the most plausible answer is that the people behind this illegal site have obtained an illegitimate API access key somehow which allows them to get access to any contributor content they want on the iStock site for free.

That doesn't sound plausible at all. If they wanted content, they could download it all without setting up a site somewhere under your guess.

Now, perhaps they have gained usernames and passwords somewhere, so that every time they download an image, it is on a different account.

ShadySue · « **Reply #39 on:** November 30, 2012, 07:44 »

Quote from: iStop on November 30, 2012, 06:45

It seems the most plausible answer is that the people behind this illegal site have obtained an illegitimate API access key somehow which allows them to get access to any contributor content they want on the iStock site for free.

In addition, their API key also appears to allow them to add a credit to the contributor's account crediting them for the download/sale without ever making an actual payment to iStock for the content downloaded by the illegal reseller site.

As a result, this site sounds like some sort of group that is trying harm iStock and resell iStock content without harming its contributors.

Hey, Robin Hood!
I'm very interested in what will happen to the credits which CR assured mstock was a legitimate sale. They can hardly claw it back after that definite assurance.
Keep us posted, OP!

Sean Locke Photography · « **Reply #40 on:** November 30, 2012, 07:59 »

By the way, the nameservers changed in the last few days. They were located in Vietnam, and also the welcome email was reported to be from there as well.

The HostGator thing was me. I found a link on their site that returned a hostgator error page. Can't find it now.

drd · « **Reply #41 on:** November 30, 2012, 08:26 »

Quote from: iStop on November 30, 2012, 06:45

As a result, this site sounds like some sort of group that is trying harm iStock and resell iStock content without harming its contributors.

If this true, probably they don't realize they hurt contributors indirectly.
Istock's global rank dropped 36 places this month on Alexa ranking. In october the site was ranked 395 now it is on 431 and every day is lower. I follow the rankings daily.
Therefore I suppose less buyers are coming to the istock site and could explain why my downloads dropped 50% compared to last month and no E+ downloads anymore. I've heard similar complaints from other contributors.

These guys did something very clever or istock's web security is just rubbish. I wonder if maybe these guys can have a go to fix the broken zoom feature on istock? Which anyway is not more than 10 lines of code in javascript.

bokehgal · « **Reply #42 on:** November 30, 2012, 10:06 »

Reply from abuse @ cloudflare.com. Although they can't take the site down they can stop providing service to the site:

"Please complete the abuse/phishing reporting form located here to
submit your report --> https://www.cloudflare.com/abuse/

Future abuse/phishing reports will only be accepted via that form.

Please provide specific and direct URLs to the content you claim to be
infringing. Lack of specific details may result in the report being
denied.

Note -- CloudFlare is NOT a web host for this or any other website. We
don't provide web hosting services for any site except for
cloudflare.com. We have no way to remove content from a website."

bokehgal · « **Reply #43 on:** November 30, 2012, 10:17 »

@mstock - I agree the site could be hurting iStock traffic. It could also be hurting E+ files if the illegal site is downloading the files from iStock and then reselling the same files cheaper.

But if you are still credited by iStock for the sale each time the illegal site downloads and resells a file, then you shouldn't have any net drop in sales on iStock as a result, either on regular files or E+ files. So I think the theory that iStock contributors are earning less because of this site is a flawed theory and most likely isn't the real cause of many people's 50% drop in sales.

Nonetheless, this site must be stopped. It is illegal and they are stealing contributor content. And who knows what they will do eventually with all the stolen files that they have downloaded to resell.

iStop · « **Reply #44 on:** November 30, 2012, 10:30 »

Quote from: sjlocke on November 30, 2012, 07:37

That doesn't sound plausible at all. If they wanted content, they could download it all without setting up a site somewhere under your guess.

Now, perhaps they have gained usernames and passwords somewhere, so that every time they download an image, it is on a different account.

It seems they setup the site not to download, but to resell content they steal from iStock. Yes, downloading could be done without a site of course. But it seems they want to make money reselling the stolen content, thus the site.

They could also be using stolen usernames and passwords of buyer accounts that have credits in order to download files illegally as you suggested, but that would likely mean that every time a buyer tries to buy a stolen file through istockreseller that it would have to first be manually downloaded by the thieves and then sent to the buyer later.

I haven't surfed the illegal site myself to see how it works, but the download process is more likely immediate and not delayed, which would suggest it is an automated process using a script and a hacked API key of some sort to obtain the file in real time and then provide it to the buyer when a file is chosen and downloaded from the illegal site.

ffNixx · « **Reply #45 on:** November 30, 2012, 11:20 »

Is it possible that it isn't iStock that was hacked but one of those partner deals they have, such as with Microsoft. As far as I understand those deals, the partner company has access to iStock files and their own customers can download, but don't pay iStock directly. This would explain some of the things people have discovered about the reseller site, such as immediate crediting of sales and lack of refunds (to date).

Poncke · « **Reply #46 on:** November 30, 2012, 11:23 »

It doesnt explain how you can get an XS image for 2$ and see a XL DL for 11$.

iStop · « **Reply #47 on:** November 30, 2012, 11:41 »

A partner site download wouldn't result in the contributor being credited for a full XL download each time. So a partner site probably isn't the leak. Plus it seems search results on the illegal site mirror iStock's search results.

It's also possible the illegal site downloads an XL regardless of the file size purchased by the buyer on the illegal site. Thus the contributor always gets credited for an XL download.

Jo Ann Snover · « **Reply #48 on:** November 30, 2012, 11:42 »

Quote from: Poncke on November 30, 2012, 11:23

It doesnt explain how you can get an XS image for 2$ and see a XL DL for 11$.

My assumption is that the scammer is buying the largest size (that happened with all the test sales that I'm aware of; XS purchased from scammer, XL downloaded from IS) to resell in the future. I'm also assuming that there will be a refund for the XL once IS sorts out the paperwork. I haven't heard of anyone getting the refund yet

ppdd · « **Reply #49 on:** November 30, 2012, 12:02 »

If this was happening through an API key, it would be shut down instantly - that's the point of a key, it's a one-off code allowing access for one user. If something goes haywire, the key is shut off and the user is locked out.

There could be some huge security hole in the API system at istock, but it should be easy to plug. But then, I can't see how this whole thing is still working, regardless of how it's done.

MicrostockGroup Sponsors

Author Topic: Istock is hacked? (Read 19475 times)

JPSDK

gostwyck

leaf

RacePhoto

B8

fotoVoyager

drd

bokehgal

leaf

bokehgal

iStop

fotografer

bokehgal

Sean Locke Photography

ShadySue

Sean Locke Photography

drd

bokehgal

bokehgal

iStop

ffNixx

Poncke

iStop

Jo Ann Snover

ppdd

Related Topics

Sponsors

Microstock Poll Results

Sponsors