Piracy, Fraud Prevention Guide for Adult Paysites

Editor’s note: Following was provided by a client of Walters Law Group. The author, an online adult industry veteran, has chosen to remain anonymous.

After carefully monitoring the usage patterns of thousands of subscribers to our adult paysite network, I have come to the conclusion that 99 percent sign up solely for selfish means and this is a good thing.

[I]t only takes one bad apple to take a good chunk of your paysite and put it online for free.

“Selfish” here means they are only accessing your site solely for their own pleasure and nothing more. You can rest easy when they come for a visit. However, there does exist a small minority — that last 1 percent — that may in fact wish to gain access for nefarious reasons. “Nefarious” in this sense is meaning to download as much as possible and/or upload it across the internet without your permission.

This is a guide that should help minimize the chances of that 1 percent ever becoming a subscriber to your site. Piracy will always exist and what’s written below should only help with reducing said risk down to an acceptable level. Please note that this guide should only serve as an outline. Other matters such as overall customer dissatisfaction potentially coming from poor customer service and a broken site may also lead to spiteful ex-subscribers — those formerly of the selfish 99 percent — putting your content on websites best avoided.

Using the below information along with sound fraud prevention screening techniques already implemented by various IPSPs and merchant processing gateways has reduced nefarious usage to a point where as of writing this, our main site has only seen one very small instance of illegal uploads on a major piracy distribution channel in the last two years in spite of having thousands of subscribers during the same period.

Lastly, remember that it only takes one bad apple to take a good chunk of your paysite and put it online for free. It’s imperative to try your hardest to ensure that person can never become a subscriber of your paysite.

Part I: Post-Screening New Subscribers

Always look over new subscriber billing and login details and their first login attempts as soon as possible to ensure they do not appear suspicious! Here are characteristics of the selfish 99 percent. Your average new subscriber will most likely:

• Be male (unless you operate a female-oriented paysite).
• Use a free non-disposable email address most likely consisting of their name (example: firstname.lastname@gmail.com).
• Log in using a residential ISP and IP address.
• Log in once every few days and nibble at his desired content.
• Login within minutes after subscribing. 

Here are characteristics of nefarious 1 percent. The following serves as risk signals for subscribers who may be nefarious:

Minor fraud rank signals (if a subscriber has only one of these associated with their logins, it’s probably safe to group them with the 99 percent):

• Logging in through a VPN. VPNs by themselves are fine to use, but most 99 percent subscribers still use unencrypted residential lines.
• Nonstandard email address. Those who have their own domains and email addresses that may seem juvenile.
• Disposable email addresses like Mailinator.com
• Not logging in right away (hours). Most subscribers login within minutes after signing up. Nefarious subscribers may opt to wait a bit in order to allow their usernames to blend in with the crowd.
• Foreign language usernames/passwords in a language the subscriber probably doesn’t know. For example, John Smith from Delaware with a Romanian username/password in conjunction with other fraud rank signals.
• Female subscribers (ignore if you run a female customer-oriented site). It’s a fact for most adult paysites that female subscribers are extremely rare. From my own experience, legitimate female subscribers per year can be counted on one hand. If you ever get the elusive female signup, it may be a sound idea to ensure none of the other fraud risk signals are met. One other thing to look out for is actual site usage patterns: is she accessing the types of movies mainly only heterosexual men may prefer or is she sticking with lesbian and other similar types of titles? If the former, you may wish to temporarily suspend access.

Major fraud rank signals (if even one of these are spotted, you’d best immediately terminate the subscription):

• IP mismatch where actual IP address used for logging in is from a high-risk country.
• If you receive a signup from someone with a U.S. billing address, but their logins are coming from, for example, an IP address in Romania.
• Email address is literally from a pirate site domain.
• Believe it or not, this has happened to us. Some people are really, really stupid.
• Multiple decline attempts followed by a successful signup.
• Unless you’re operating the type of paysite that receives hundreds of new signups a day, you should be on the lookout for a group of declines (usually with at least one repeating feature such as the same IP or email address) that happen one after another with a successful signup at the end. Almost certainly this is someone using stolen credit cards.
• Your billing provider should be emailing you anytime you get a decline and even if they don’t, it’s important to stay afloat of the billing side of your site on a very regular basis.
• Not logging in right away (days). Yes, not logging in right away by itself is both a minor and major fraud rank signal. The difference is if it’s been days and the subscriber still hasn’t logged in even once, it could be a more crafty Nefarious user waiting even longer to blend in.

High-risk countries and subscribers: If a potential subscriber has a billing address, IP address, and a card issued from a country considered high risk, then most likely they are a legitimate user and you should not worry about their visits. It’s only when they match other fraud rank signals when you should become concerned.

Take note of what potentially fraudulent users have downloaded before termination! If a potentially fraudulent subscriber managed to get in and start downloading before you terminated their subscription, do take note of what files they accessed. Thus, if you get another suspicious signup that you believe may be them again, see if they continue right where they left off. If there are some eerie similarities in usage, then this is another fraud rank signal to use when deciding on subscription termination.

Is looking over each new subscriber for these signals tedious. I don’t believe so. In fact, once you have the above rank signals internalized, outside of the rare chance you do encounter a suspicious signup (which in our situation may happen a few times a month at most), you’re looking at spending perhaps 30 seconds with each new subscriber.

Part II: Daily Operations and Risk Prevention

A combination of tips and guidelines to prevent fraudulent site usage and keep leechers at bay.

Preventing Slash-And-Burn Leeching

• I highly recommend not making your paysite 100 percent unlimited.
• Regardless of what and how you offer your content, there should be some limit in place as per data access allowances. This guide will not cover the specifics since every site is different, but your best bet is to survey what the majority of subscribers use in a given month and set a limit that’s perhaps double that. Alternatively, figure out how much content the subscriber accesses per visit and perhaps make the limit double (as even subscribers within the 99 percent may wish to binge from time to time).
• Assuming your data access caps are not too low, subscribers who reach them every single day for days or even weeks on end are high risk.
• It’s possible they may just want to grab all the content for themselves and it’s possible they could be of the Nefarious 1 percent. Either way, if you notice a subscriber whom after two weeks is literally hitting your cap every single day, it may be wise to cut them off. After all, you can’t satisfy everyone.
• Make downloading slightly inconvenient.
• There are times when a good user experience is paramount, but there are things one can do in terms of paysite design that may slightly annoy subscribers, but will also reduce the risk of someone attempting to upload large portions of your site:

1. Split downloads up into scenes (or less).
2. Move download links to an out of the way place on the page.
3. Ensure subscribers cannot download more than several files at a time.
4. Attempt to prevent the use of third-party download managers.

These four points may annoy some legit subscribers, but assuming what you offer is unique enough, it should not result in them canceling.

The Temporary Username Suspension Email Test

Temporarily suspend access to a suspicious username such as ones that match some of the fraud ranking signals noted above. See if they email you asking why they can’t login—or if they do at all. If a username you fear may be part of the 1 percent simply doesn’t email back after a few hours (or a day at most), there’s a good chance it is indeed fraudulent and you may cancel and refund the charge along with putting their information on your blacklist. If they do email you about login issues, ensure it comes from the email address on file and take note of how the email is written. If the subscriber comes from an English-speaking country, but the email is in very broken English, you may wish to err on the safe side and permanently terminate the subscription. If the email appears legit, re-enable their username and blame it on some random technical issue. Perhaps credit a day to their subscription as well if you see fit.

The IP Check Username Suspension Test

Temporarily suspend username and see if they try logging in with other IP addresses — especially take note if country changes. U.S. billing address, U.S. IP address, but switches to Indonesian residence after suspension.

Check Your Access Logs ... Often!

Your access logs — the logs that show your user logins (both successful and failed and also show data access records for each user) — are probably more important than your server stats graphs (which you also should be watching regularly to ensure your server is running correctly!). Watch your access logs carefully and often.

• Reload them throughout the day.
• Refresh them every hour if possible.
• When you wake up in the morning, look over what you missed when you were asleep.
• Keeping watch over your access logs may be the first line of defense when spotting any inconsistencies both with new subscribers and long-time ones. Don’t just leave site security up to software solutions; they may do their job, but sometimes it requires a human eye to spot any exceptional anomalies, like a long-time subscriber from U.S. suddenly logging in from a developing nation. Is the subscriber simply on vacation? Keep your eye on the username over the next few hours and days to see if the IP address and/or country starts rapidly changing.

Credential Stuffing

• Credential stuffing can be considered the more sinister step-sibling of a brute-force attack. Rather than simply running a dictionary attack or even an attack based on globally leaked usernames and passwords, the ‘hacker’ may attempt mass logins solely using usernames and passwords harvested from other (adult) websites. In an extremely bad situation, he may have collecting usernames via brute forcing your own username generator.
• Unlike the multitude of users who simply may do a search for ‘free password’ and try those logins which inevitably all fail and thus can be ignored, someone attempting to gain access to your site using Credential Stuffing should have his IP addresses banned immediately at the firewall level.
• If someone using this method ended up logging in successfully, be sure to change the passwords to those subscriptions immediately!
• If someone using this method ended up logging in successfully, have your IT staff comb over both your server’s and site’s access logs and see if he can spot how the credential stuffer harvested his usernames.

How to Handle Brute Force Attacks

If you are running a site with unique content, there probably will come a time when someone may try to gain access via a brute force attack. Unlike credential stuffing, which at times may share some similarities and should be treated very seriously, brute force attacks mainly are just annoying and rarely effective. Someone who wishes to gain access this way may just be one of the nefarious 1 percent who only wants the content for himself ... or he could also aspirations of ‘sharing’ it with others in his community. Either way, even though the chances of finding a successful username are low, you don’t want these types gaining access to your site.

Here are some pointers on how to deal with brute force attacks though please note this is based off the custom-built security software we use. If your site does not have these features in its own back-end, I would highly recommend hiring a competent programmer to put them in:

If the attack is currently active, the following in the following order is suggested:

• Reduce the number of failed logins per IP address before it gets auto-banned from x to perhaps 3 (you don’t want it to greatly inconvenience regular subscribers who may fat-finger their passwords from time to time). For our site, x normally is 10 login attempts.
• Allow the brute forcer to keep his attack going. Inevitably all his IP addresses will be blocked.
• Once all (or most) of his IP addresses are blocked, open up your site’s IP block list and ensure all those IP addresses are then blocked in the server firewall.
• Once the firewall block is confirmed, restore the number of failed login attempts back to x.
• If he later on returns with more IP addresses to waste, rinse and repeat the above steps.
• DO take note if any of his attempts resulted in successful logins. Hopefully whatever security software you use has an option to only show successful logins in the access logs because otherwise you’ll be spending a lot of time going through thousands of failed logins to find any successful ones. If you see any strange logins during the life of his brute force attack, then you’d best change those passwords and notify the affected subscribers immediately.

If the attack is has already happened, the following in the following order is suggested:

• DO take note if any of his attempts resulted in successful logins...see last point from above currently active brute force attacks for more information.
• Even if you had failed logins before a username block set to 10 attempts, all of his IP addresses should have been blocked already on the site level as he most likely used the same IP addresses dozens and dozens of times in a row. It’s still a sound idea to have them blocked in your server’s firewall too in case he returns again.
• If he does return again, rinse and repeat the above steps.

Failed Login Message

Don’t give away too much information! If someone is trying to gain access to your site via unsavory means, it’s best they know as little as possible as to why their login attempts keep on failing.

"You have entered an invalid username" and "You have entered an invalid password"

• These are two types of error messages you never want to show during a failed login attempt. Both allow someone unsavory to get an idea as to what actually are valid credentials. Stick with a generic ‘login failed’-type error message.
• Do not ever make it clear that an attempted username is already disabled.
• Do not ever make it clear an attempted IP address is already blocked on the site level. Again, the less a nefarious user knows, the better! Shadowban them!
• It’s possible an actual subscriber may sometimes become confused if he fat-fingers his credentials and receives a generic ‘invalid login’ message, but from my experience, thanks to password managers this doesn’t too happen.

Server-Hosted Username Creation Risks

• It’s very common nowadays for sites to allow usernames and even passwords to be inputted before the potential subscriber is sent to the actual credit card input page. I think this is a horrible idea for several reasons:
• Less security-related: you’re asking the user to put down the mouse not once, but twice: first on your site’s join page where he enters his basic user info and clicks on the desired subscription plan and then again on the actual credit card input page. Your potential subscriber is almost certainly in an ‘excited’ state and you’re causing him to slow down. Don’t do this.
• More security-related: it’s possible a somewhat savvy Nefarious user may create a custom program that could brute force your username selection script. This has happened to us in the past and it wasn’t obvious until he started Credential Stuffing several dozen active usernames in a row. Unfortunately for him, his technical prowess did not extent to switching his IP and several dozen usernames logging in in a row with the same IP address led to a quick firewall ban. If you are going to allow usernames to be created server-side, ensure there is no way for someone to brute force to discover active usernames.

Part III: Spy Game

Electrolysis for piracy prevention.

Befriend the ‘Enemy’

Out of everything I have wrote in this guide, what I cover here is probably going to be the most controversial. I’m sorry if some of those reading may find offense to this, but the method of attacking piracy as it stands now is war that may never be won. Even with the following pointers, it’s a war in the conventional sense that will go on forever. There always will be people who want your content and have zero intentions of ever paying for it. However, befriending the ‘Enemy’ — in other words, maintaining communication with some of your more ‘unsavory’ fans may help more than hurt.

Assuming your niche has discussion boards, it may be in your best interest to actively participate on them.

• Not everyone who posts there are your enemies. Many view us as unapproachable corporate behemoths. It may seem sacrilegious to say this, but simply associating with some on discussion boards for whatever fetish you promote on your paysite (assuming one such board exists) may help develop that important human connection.
• Don’t judge a forum’s popularity solely by how many people are posting. If it’s a forum where ‘sharing’ occurs, expect many more people to simply lurk and it’s more than possible that your active and non-confrontational presence may lead to them thinking twice about pirating your works.
• For our own sites, we’ve actually seen forum posters take our defense when users ask for our content. Instead of somebody uploading it illegally, without us even asking, there will be multiple posters telling the person looking for a ‘free sample’ to simply subscribe instead.
• If you do decide to ever post in these forums, stay civil. Do not attack users—even uploaders. Being a paysite operator, your views on piracy are a given; you know them and they certainly know them as well.

Become the ‘Enemy’

Let’s say during one of your daily patrols, you discovered someone uploading your movies to some sort of user-generated content site (a site where uploaders use usernames and a messaging system of some sort exists). Aside from DMCA’s, what else can be done? How can we nip this problem in the bud rather than sending takedowns after takedowns?

Although in ‘Befriend the ‘Enemy’’ from above, I recommended to openly participate on discussion forums about your niche — even when file sharing talks take place — there may also be a time where it may be in your best interest to create an ‘alternative’ username for special situations ... like befriending an uploader of your content in order to figure out whether he’s an active subscriber. Here’s what you do in the following order:

• You spot new uploads of your content from “Uploader-A.”
• Send him a private message asking him if he can get more from your site.
• If he replies back (or you can include this in the initial message), ask him to get a few movies from your site.

IMPORTANT: be sure to pick out a couple of older and unpopular updates (we all have them). He’ll either get back to you soon or he doesn’t. What you do in a few days is to check your access logs and see what IP addresses — if any — accessed those older and unpopular movies. If they did, see if any of those IP addresses are also used by an actress subscriber.

Older and unpopular movies are an ideal choice here since you probably will have less IP addresses to comb through before finding your needle in the haystack.

• If you did locate an active subscriber that just so happened accessed the same movies you requested “Uploader-A” to get for you, to err on the side of caution, see if other files uploaded to the site were also accessed by the same subscriber.
• If everything’s a match, you found your patient zero.
• Terminate the subscription.
• If user messages you on the forum afterword with some sob story about his username being killed, play along. Do not blow your cover. The last thing you’d want is for other forum posters to know you have a secret username used for these types of covert operations.

To reiterate what I wrote at the beginning of this guide: piracy will never total die out. No matter how hard you attack it — be it via pre-screening methods provided by most billing processors, via post-screening as covered by this guide, via DMCA-sending services, and even via spy game, you will never totally annihilate it. There always will be people who simply will not want to pay no matter what.

I hope what I wrote can help you re-evaluate how you tackle both piracy and fraudulent subscribers. Take what’s outlined here and apply it to your own methods and provided that you’re vigilant, you should almost certainly see both chargebacks and illegal uploads drop significantly. Both may probably never reach zero, but there’s only so much we can do.