This is, of course, about the recent NYT article that showcases the results of Prof Stefan Savage and his colleagues from UCSD/Berkeley.
As my good friend and longtime volunteer at CAUCE, Ed Falk, points out, this is a great find, but hardly a FUSSP.
The nice thing about the fight against bots and spammers is these little victories people on "our" side keep having in an endless series of skirmishes and battles. Sometimes, a significant victory such as the takedown of a vital enemy strategic asset. [yes, I'm overdoing the cyberwar analogy here, thank you]
It is a familiar pattern.
Some significant victories involve takedowns of hard targets. Take down an estdomains here, an intercage there and watch the spam volumes take a significant, but temporary nosedive while the bad guys scramble to regroup and find new resources.
Other longer term but equally significant victories involve convincing people on our side to follow best practices and take proactive action against abuse issues. For example, there was a concerted effort by several people across stakeholder communities in 2007 to convince and assist HKDNR to stop the then rampant abuse of the .hk ccTLD by spammers. I wrote about this on CircleID back in 2008, after an AV vendor's report flagged .hk as the most unsafe domain, entirely based on data about this abuse, months after outstanding abuse issues had been resolved and proactive abuse prevention measures put in place by the .hk operator HKDNR.
Coming back to Prof. Savage's findings, after putting them into a bit of context with that history lesson.
Taking down a whole bank is not as easy as shutting down a shell company registrar of course, but is definitely possible by the country's banking regulator. A cleanup at least does sound possible — because cancelling a bank's license may, or may not, depending on the bank, result in significant collateral damage caused to the rest of the bank's customers who might be joe average citizens who are not money launderers, phishers, sellers of illegal drugs etc.
There have been, of course, shell company banks, but even in legitimate banks, this does look like a fit case to arrest the right bank manager + staff, and freeze the right accounts for investigation.
This of course involves action from the banking regulator and law enforcement who have jurisdiction in the countries where the banks are located. However, financial fraud and money laundering is an area that has far more international cooperation and rigidly enforced conventions than cybercrime does, so the potential for action certainly exists. Remains to be seen what's done in the case of these three banks.
So, assuming some or all these hard targets from Prof. Savage's research do get taken down, or at least cleaned up to make them inhospitable to the online pill operations, what are the ways they can regroup and fall back to alternate positions?
Shutting down merchant accounts, freezing bank accounts and arresting a few complicit bankers here and there would bring about a fast enough movement to alternative payment mechanisms, and/or to jurisdictions where, for example —
In any case, a lot of the underground economy players seem to prefer online virtual currency from various sites, several of which are based for legal immunity and banking secrecy reasons in the usual jurisdictions.
There are also some (not so) surprising alternatives to online virtual currencies such as World of Warcraft gold, that are easily convertible to cash (ask any hardcore but lazy gamer what the going rate for gold is). If they're a target for phishers, the chances are high that they are also being used as a virtual currency by scam artists.
The new kid on the block is bitcoin, a p2p virtual currency, through which you can buy a surprising lot of stuff, from the services of a law firm specializing in internet law (great), to sites providing "high anonymity vpn". Just how the idea of a p2p virtual currency that's generated by lending your CPU — or GPU — cycles to generate cash, and that has strong encryption built in, combines with the idea of botnets taking over PCs that are part of bitcoin's P2P network, is an interesting train of thought.
As a final fallback, there are, of course, the ever present money laundering channels that bypass conventional international payment systems — such as one that is known internationally by its indian subcontinent name of Hawala. Cumbersome and slow, but extremely anonymous, and ubiquitous, with a near global coverage thanks to an informal network of money launderers.
All that said and done, I do wish the various stakeholders in this game all the best in cleaning up the rat's nest that Prof. Savage's excellent paper has just shined a bright light on, thanks a lot to the NYT.
By Suresh Ramasubramanian, Architect, Antispam and Compliance
|Cybersquatting||Policy & Regulation|
|DNS Security||Registry Services|
|IP Addressing||White Space|
Minds + Machines
Neustar DNS Services
Neustar DDoS Protection