SAN DIEGO -- So much for trade secrets. Not long ago, a company unwittingly tipped its hand when planning to buy another business.
How? Lawyers, investment bankers, consultants, executives and directors suddenly hammered the investor relations section of the targeted firm's Web site. Their IP addresses gave them away.
Realizing it was going to be bought, the targeted firm called another company and shared its rival's still-secret plans, thus launching a bidding war. In the end, the first company won the battle, but it paid $15 million more than it should. A more covert search for information may have prevented that.
"This seems to be a very common scenario," explained Lance Cottrell, founder, president and chief scientist for San Diego-based Anonymizer Inc., at Thursday's Usenix Large Installation System Administration conference. Though his 11-year-old company is best known for consumer privacy, enterprise interest has surged regarding cloaking online activity used to gather intelligence and prevent information leakage.
Such behavior is nothing new. For years companies have tracked nosey competitors' through reverse IP address lookup sites like whois.com, which provide an IP address's domain, physical location and sometimes even contact information and clipboard contents of site traffic. That data can then analyzed for patterns. "You're really advertising to people what you're doing and what your interests are," Cottrell said during a presentation on Internet counter-intelligence.
But masking such activity is gaining in popularity, particularly by using tools and services that run traffic through a different network. By creating a new IP addresses, it prevents a competitor from counterstriking.
Another basic countermeasure is IP-based blocking, where certain addresses are barred from accessing a site. One retail tire store found itself in a frustrating situation due to this technique, Cottrell recalled. The company advertised that it would match any competitor's price, but when a customer would come in and cite someone else's online deal, the tire shop couldn't look it up on the Web because its IP address had been blocked. When they tried to call for the information, it also was blocked by Caller-ID. "It was a big problem for them," Cottrell said.
IP-based spoofing, on the other hand, directs certain IP addresses to fake Web sites containing false or misleading information. The tactic can be used to throw off rivals. During the IT boom of the late 1990s, a Fortune 500 company set up its site so that anyone coming from a competitor's IP address was sent to a different home page -- one opening with a job offer. Another, similar technique is IP-based cloaking, which configures a legitimate Web site to display inaccurate or incomplete information only when it is accessed from certain IP addresses.
Spoofing, though, is more common and comes in different flavors. Multi-server spoofing sets up several servers -- usually DNS- or router-based -- to create duplicate Web sites. Redirect spoofing sends specific traffic to an alternate page within the site. One such method, called pagejacking, redirects traffic to another site to improve search engines rankings.
Among the more interesting tricks is dynamic spoofing, which culls select criteria from known IP addresses to alter or hide pages, individual links, ads or banners and even price and availability information. For instance, if one airline knows a competitor checks its site for fares daily, it can jack up the price only when a rival's IP address tries to access the site. This can cause the other airline to advertise higher, unattractive tickets.
Major retailers sometimes employ this technique by displaying only expensive merchandise based on customers' past buying habits. If you've paid full price for an item in the past, you're less apt to find sales when you access the site later. "Each time you show a willingness to pay X, you are only shown that going forward," Cottrell explained. "Unfortunately, it's a system that's explicitly designed to screw loyal customers."
Less aggressive counter-intel involves tracking users via log analysis and Web bugs. The companies most at risk of information leakage through online use are those involved in mergers and acquisitions, research and development teams, attorneys and their clients and anyone handling intellectual property.
In each of these situations, their online activity -- what sites they visit and when and how often -- could clue in others on their intentions. As Cottrell described, "You're playing poker with your hand face-up."