What's the Harm If I Get What I Pay For? End-to-End Analysis of the Spam Value Chain

Related Articles

• Controversial CISPA Passes House Despite White House Threat to Veto
• Making Passwords Easier to Remember and More Secure
• MAAWG Alters Name to Better Reflect Concentration Areas: M3

Subscription Options

Subscribe Newswire

Widgets & RSS Feeds

Have you ever wondered what would happen if you actually responded to an online offer for an herbal supplement or an enhancement drug? As any active emailer knows, there is a relentless tide of spam out there, and while filters and other techniques keep an amazing amount of spam out of users’ inboxes, spam still manages to seep in, and those dietary supplements, herbal remedies, enhancement drugs and even watch offers show no signs of stopping.

Christian Kreibich from the Berkeley-based International Computer Science Institute and team wondered about those spam offers too; so they researched the complete lifecycle of a spam offer, from receiving the offer, to ordering, to payment, all the way through to product receipt. It is an interesting analysis to be sure. Kreibich presented the findings of the analysis at the Messaging Anti-Abuse Working Group’s (MAAWG) 22nd General Meeting in San Francisco last week.

The spam trail encountered by Kreibich proved to be 95% pharmaceutical, so much of his talk centered around the tracking and ordering of supplements, enhancers, prescription and over-the-counter drugs. During the analysis period, the group attempted 120 purchases, of which 76 authorized and 56 settled resulting in 49 deliveries. The reason the deliveries and the purchase attempts are not closer in number is that some of the programs stopped taking orders from the researchers, even though they would change where deliveries were to be shipped, and used different names.

“It got progressively harder to make purchases,” admits Kreibich. “Generally, you do get deliveries because the merchant needs to maintain a good relationship with the banks.”

Where Is the Harm?

So, does this mean that it’s okay for you to order that herbal supplement offer you keep receiving, but were afraid to because you might not get what you paid for?

“The analogy I would use for spammers actually fulfilling orders is a bit like a window company throwing a coupon wrapped around a brick through a prospective customer’s window,” responds Michael Osterman, analyst and president of Osterman Research, Inc. “Even if the glass company actually shows up on time to replace the glass and their quality is good, the method of marketing their services is still a problem. In the same way, spammers eat up bandwidth and storage on prospective customers’ servers, desktops, etc. in exchange for potentially offering a decent product. Fulfilling an order is good, but the method of gaining the customer in the first place is not.”

Kreibich agrees, saying, “There is tremendous technical collateral damage in this business. Beyond this, I’d add first that the advertising model of spam is completely illegal virtually any where due to the way it’s realized because it’s facilitated by relying on infected machines. Secondly, a substantial part of the products one can order are illegal in the country you order from. For example, many of these shops will sell you prescription drugs, right up to cancer medications, without the need for a prescription.”

Having your computer become part of a botnet that aids in the spewing of spam is a definite danger of doing business with spammers. Spammers are not reputable in the business world, although they are successful, otherwise they would not continue. So what about the money trail?

Payment Infrastructure

In the sleuthing, a key insight comes from this money trail research: just three merchant banks account for 95% of the processing of payments related to spam. The banks were: Azerigazbank in Azerbaijan (Eurasia), St Kitts-Nevis-Anguilla National Bank Limited in the Caribbean, and DnB NORD in the Baltic States. Indeed some feel that this bottleneck might be a place of vulnerability in the spam trail. Would it be possible to halt the payment processing in a kind of financial blacklist?

Perhaps believes Kreibich, but it would have to be through the Western bank. “If the issuing bank refused to settle certain transactions it could have a significant impact.” Kreibich points to online gambling as a possible precedent for such action.

Asked if the product delivered was indeed the product ordered, Kreibich replies, “In general, you do get a delivery. We have done ‘some’ component analysis via mass spectrometry that confirmed the right active ingredients and composition for some ‘herbal supplements.’ But we are in no way saying that people generally get the real drug or right combination of ingredients.”

Still wondering about responding to a spam offer? Spam experts advise against it: “Very often, those who order by spam don’t always get what they order,” warns MAAWG Chairman and Comcast Distinguished Engineer Michael O’Reirdan. “The problem also is that once they have ordered via spam, they also set themselves up as targets for other spam, which might be a vector for malware.”

Learn more about the research by reading Kreibich et al.’s paper: Click Trajectories: End-to-End Analysis of the Spam Value Chain