For instance, one could infer how well a business is doing on the stock market and make appropriate purchases or sales to reap millions, says Jeremiah Grossman, CTO, and Arian Evans, director of operations, at White Hat Security.

Ordering a company's stock online and receiving an order number, then doing the same thing later and comparing the order numbers, which in many cases are sequential, can indicate how much of a company's stock is being traded over that time interval, says Grossman, who with Evans presented "Get Rich or Die Trying—Making Money on the Web the Black Hat Way." Buying or selling based on that can result in big profit, he says.

In addition, White Hat has come across other exploits in its work penetration testing customers' Web sites, Grossman says.

In one instance, an Estonian financial firm managed to crack the URL format used by Business Wire for embargoed press releases that detailed earnings-related data about corporations. The firm used that data before it was public and profited $8 million before the Securities and Exchange Commission (SEC) caught the activity and halted it.

In a similar case, a Ukranian hacker broke into Thompson Financial for data on a health firm and reaped $300,000. The SEC froze those funds, but a judge ordered them released to the hacker because the hacker wasn't an insider and therefore couldn't be charged with insider trading. He might have been charged with hacking, but he was in the Ukraine, where official cooperation with prosecution was unlikely, Grossman says.

During his talk Grossman displayed checks for $132,994.97 and $901,733.84 from Google to people who used cookie stuffing to reap payments for driving traffic to Web sites.

The way it's supposed to work, someone with a Web site includes a link to an affiliated business' page. If a consumer clicks on it, their computer gets a cookie and if they buy something later, that cookie notes what Web site referred the buyer and that site gets a payment.

Scammers have developed elaborate schemes to exploit the system, Grossman says, starting with sites automatically hitting visitors with the marker cookie as soon as they visit the scammer's pages. All visitors get the cookie, not just those that click on the link. If a visitor later happens to buy something from an affiliated site, the scammer gets money.