The Mr. Robot Hack Report: Skimming Links for Fun and Profit
Mr. Robot is a show built on hacks. The mother of all hacks serves as the big cliffhanger at the end of the show's first season, and nearly every plot development leading up to it was nudged along by some kind of exploit. It’s rare to get through an episode without at least one digital intrusion, often drawn from real life. Each week, we'll be running through Mr. Robot's C Y B E R activities — who got hacked, why, and how much magic would be required to make them actually work.
* * * S P O I L E R S F O L L O W * * *
This was another intense episode, and we left off with Elliot getting ready to simultaneously migrate Ray’s sketchy Bitcoin site and hack into America’s preeminent federal law enforcement agency. But despite all the buildup, we were once again pretty light on actual hacking, so I’m going to focus most of this week’s report on a single trick we get in the cold-open flashback, when Darlene explains why she gets free delivery food. In the episode, it was a quick flash of technical jargon, but true to form, there’s a lot to work through. The hack plays off two of my favorite systems — affiliate links and mobile proxies — so it’s worth digging into exactly what’s going on here.
Darlene eats free
First off, what exactly did she say? Let’s see it again:
I hacked the Postmates proxy that supports the APN for my boyfriend’s cell carrier. Now it does a URL rewrite and sends every postmates.com request to my affiliate link—meaning, I get $10 coupons each time a sucker orders anything.
That’s a lot! I’m going to pick up the APN and proxy stuff later, and focus for now on exactly how she’s getting these coupons. It’s a very common scheme and a very plausible one for someone like Darlene to pull off.
Affiliate links are basically the online version of kickbacks, a small bonus for anyone who sends a paying customer to a major store. If a blog tells you about a certain washing machine for sale and you click through and buy it, Amazon will pay the site around five percent of the price of the purchase. I’m using Amazon as an example since they pioneered the system, but by now there are thousands of similar programs covering basically every major store on the internet.
A network of invisible signals undergirding the internet
To keep track of who sent the customer, the stores ask participating sites to include a little code at the end of each product link. Most users never see it — and even if they did, all they’d see is an extra string of digits. But for the stores, that string of digits is a clear sign to send money to a specific user ID after the purchase goes through.
Adding those tags is an easy way for sites to make money without advertising, and there are a lot of plugins that will drop them in automatically. As a result, you find them all over the place, even on The Verge. (When I asked Nilay why we do this, he said it was because we need money to live.) And because the whole system works as a coded message between websites and retailers, most users don’t even know they’re there. It’s a network of invisible signals undergirding most of the internet, each one corresponding to a small but tangible sum of money.
If you can replace those signals in transit, that money becomes yours. It’s an extremely common way for hackers to cash out. It could be a simple hack, like a scammy Chrome extension that modifies links for a quick buck, or it could be much more complex. Earlier today, I reported on a scheme that tried to modify affiliate links for visitors at 2,500 gaming sites at once, basically a super-charged version of Darlene’s scam.
Hacking affiliate links is also one of the safer online crimes you can commit. The users don’t complain — they never knew the affiliate tags were there in the first place — and sites rarely know what’s happening. Aside from a slight drag on Amazon’s bottom line, it’s very nearly a victimless crime. You can still get kicked out of the affiliate program or specific app stores, but the odds of a SWAT team kicking down your door are pretty low.
The only quibble is that I can’t find any record of a Postmates affiliate program that gave you coupons in exchange for orders, rather than driver referrals and app installations. But let’s not get caught up in the minor details.
She’s doing all that to a specific phone?!?
This is where it gets implausibly complex! Darlene is able to insert those affiliate tags because she has direct access to all of the requests coming out of her boyfriend’s phone. By altering his Access Point Name settings (also known as APN), he’s arranged to forward his mobile data through a proxy, which is a totally plausible thing you can do if you don’t want websites to know who you are. But Darlene hacked into that proxy, so now it intercepts each Postmates link and adds her own affiliate link.
That’s really hardcore! So hardcore, in fact, that if you could pull it off consistently, you could probably make a good living on just that. It sounds like Darlene’s hack is confined to her boyfriend’s phone (which is very Darlene) and only modifies Postmates links (she loves delivery), but there’s no reason to stop there. There are at least a dozen major affiliate programs that could make you more money than Postmates. At a certain point, you get big enough to raise eyebrows from either the proxy or the affiliate programs, but only after you've made rent for the rest of the year.
Of course, that really only gets us through the first five minutes of the show — and there’s a lot more non-hacking developments to cover. White Rose said a lot of extremely cryptic stuff that sort of sounded like E-Corp is working on a bitcoin clone, and Eliot is once again tapping away at a computer while a scary man holds a gun on him. Apparently he’s about to hack the FBI? We’ll see. As always, let me know if you’ve got loose questions, even if they weren’t about this episode. Otherwise, see you next week. Talk hard!
Disclosure: NBC Universal, owner of USA Network, is an investor in Vox Media, The Verge’s parent company. Additionally, we are an independent editorial partner in the Mr. Robot Digital After Show hosted by The Verge.