I recently had a chance to read a report titled, "Show Me the Money: Characterizing Spam-advertised Revenue" produced as a joint effort from the University of California, San Diego (UCSD), International Computer Science Institute, and UC Berkeley by Chris Kanich, Nicholas Weaver, Damon McCoy, Tristan Halvorson, Christian Kreibich, Kirill Levchenko, Vern Paxson, Geoffrey M. Voelker and Stefan Savage. I also had a chance to hear Chris Kanich speak about the topic — Show Me The Money! This post contains my notes with some photos taken from that report.
* * *
This is the question on everyone's mind. How much money are spammers making? Is it as much as everyone says it is? And am I on the wrong side of the business? These PhD students studied it. I'm normally not impressed by antispam "research" that comes out of academia1, but this group did it once before and now they've done it again2.
The group studied spam economics based on the belief that effective defenses should undermine the attacker's profit motive. Understanding the business processes underlying these attacks is the first step. Thus, while computer security research focuses on technical solutions, there is a lack of knowledge about economic realities: crime pays!
To do this the researchers focused on the spammer's point-of-view. They studied some spam advertisements and exploited data leakage. When you order something, the process is per the following:
When you buy something from the merchant, they send you a confirmation email with an order number and these order numbers run in numerical sequence. If you placed multiple orders on multiple days (or even the same day) and observed the order numbers, you could figure out how much business the spammers were doing (data leakage). That's what these researchers did. Spammers do this because they have to have good customer service. If they get too many cancellations or credit card payment refusals, the credit card processor kicks them off their network. Ergo, they have a motive to treat the customer well so their financial lifeline isn't strangled.
Who's browsing these merchant web pages?
One merchant, Eva Pharmacy (guess what they sell) recorded 752,000 distinct IP addresses visiting the page, but only 3089 distinct additions to the merchant's cart. Everyone from all over the world visits their page, but only a small number buy. Western Europe accounts for 16% of purchases and the United States accounts for 75%.
What are they buying?
The answers may surprise you, but on the other hand it also makes sense. 71% are these recreational drugs: "men's health" products, pain relief, women's health (i.e., Viagra marketed to women). The rest are non-recreational: antibiotics, antidepressants, and weight loss, among others. But even among this, there is a distribution. For US orders, 33% are non-recreational drugs and 67%recreational. However, in non-US orders, only 8% are non-recreational while 92% are recreational. The theory is that since name brand drugs are more expensive in the United States, people go online to buy them.
How much money are they making?
As explained above, the researchers reversed engineered the algorithms that spammer merchants use when they ship product (which, btw, contain mostly the correct chemicals that go into the real products). By calculating how many orders they were processing and multiplying by the average price, several spam organizations were doing the following revenue:
We don't know what their profit margins are, but some of the costs of spamming can be outsourced. For example, why build a CAPTCHA cracker when you can hire some freelancers to create accounts for you and pay them $1 for every 1000 accounts created? There are online freelancing sites with plenty of people on them who specialize in diverse products. Spammers don't need to have serious technical skills for all aspects of their projects, they just need to know where to get them.
I'm impressed with this report and those folks at the UCSD do good antispam research. Kudos from me.
1 This is because academia comes up with a new filtering algorithm that blocks less spam with more false positives than commercial solutions, or they address niche spam problems that have already been solved.
2 The other time being when they evaluated the spam value chain.
Related topics: Spam
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Minds + Machines