I recently had a chance to read a report titled, “Show Me the Money: Characterizing Spam-advertised Revenue” produced as a joint effort from the University of California, San Diego (UCSD), International Computer Science Institute, and UC Berkeley by Chris Kanich, Nicholas Weaver, Damon McCoy, Tristan Halvorson, Christian Kreibich, Kirill Levchenko, Vern Paxson, Geoffrey M. Voelker and Stefan Savage. I also had a chance to hear Chris Kanich speak about the topic—Show Me The Money! This post contains my notes with some photos taken from that report.

* * *

This is the question on everyone’s mind. How much money are spammers making? Is it as much as everyone says it is? And am I on the wrong side of the business? These PhD students studied it. I’m normally not impressed by antispam “research” that comes out of academia¹, but this group did it once before and now they’ve done it again².

The group studied spam economics based on the belief that effective defenses should undermine the attacker’s profit motive. Understanding the business processes underlying these attacks is the first step. Thus, while computer security research focuses on technical solutions, there is a lack of knowledge about economic realities: crime pays!

To do this the researchers focused on the spammer’s point-of-view. They studied some spam advertisements and exploited data leakage. When you order something, the process is per the following:

1. User <——product——marketer (marketer sends to a user)
2. User——product (click)——> marketer (user clicks on the ad sent by the market)
3. User——product——> merchant (marketer is out of the picture, user is now interacting with the merchant)

When you buy something from the merchant, they send you a confirmation email with an order number and these order numbers run in numerical sequence. If you placed multiple orders on multiple days (or even the same day) and observed the order numbers, you could figure out how much business the spammers were doing (data leakage). That’s what these researchers did. Spammers do this because they have to have good customer service. If they get too many cancellations or credit card payment refusals, the credit card processor kicks them off their network. Ergo, they have a motive to treat the customer well so their financial lifeline isn’t strangled.

How the purchase pair technique works. In this hypothetical situation, two measurement purchases are made that bracket some number of intervening purchases made by real customers. Because order number allocation is implemented by a serialized sequential increment, the difference in the order numbers between measurement purchases, N = 23, corresponds to the total number of orders processed by the af?liate program in the intervening time. (Source: Show Me the Money: Characterizing Spam-advertised Revenue)

Who’s browsing these merchant web pages?

One merchant, Eva Pharmacy (guess what they sell) recorded 752,000 distinct IP addresses visiting the page, but only 3089 distinct additions to the merchant’s cart. Everyone from all over the world visits their page, but only a small number buy. Western Europe accounts for 16% of purchases and the United States accounts for 75%.

What are they buying?

The answers may surprise you, but on the other hand it also makes sense. 71% are these recreational drugs: “men’s health” products, pain relief, women’s health (i.e., Viagra marketed to women). The rest are non-recreational: antibiotics, antidepressants, and weight loss, among others. But even among this, there is a distribution. For US orders, 33% are non-recreational drugs and 67%recreational. However, in non-US orders, only 8% are non-recreational while 92% are recreational. The theory is that since name brand drugs are more expensive in the United States, people go online to buy them.

The geographic distribution of those who added an item to their shopping cart. (Source: Show Me the Money: Characterizing Spam-advertised Revenue)

How much money are they making?

As explained above, the researchers reversed engineered the algorithms that spammer merchants use when they ship product (which, btw, contain mostly the correct chemicals that go into the real products). By calculating how many orders they were processing and multiplying by the average price, several spam organizations were doing the following revenue:

• $465/day, $261/day, $582/day, $749/day, $323/day, $49/day, $443/day, $192/day. This bounces around a lot, nobody is dominating.
• $560k/month, $760k/month (4RX), $1.9M/month (EuroSoft), $2.4M/month (Eva Pharmacy), $1M/month GlavMed

We don’t know what their profit margins are, but some of the costs of spamming can be outsourced. For example, why build a CAPTCHA cracker when you can hire some freelancers to create accounts for you and pay them $1 for every 1000 accounts created? There are online freelancing sites with plenty of people on them who specialize in diverse products. Spammers don’t need to have serious technical skills for all aspects of their projects, they just need to know where to get them.

I’m impressed with this report and those folks at the UCSD do good antispam research. Kudos from me.

¹ This is because academia comes up with a new filtering algorithm that blocks less spam with more false positives than commercial solutions, or they address niche spam problems that have already been solved.

² The other time being when they evaluated the spam value chain.