Weekly Edition
Return to the Security page
| |||||||||||||
Storm botnet used to study spamSpam is a problem that all email users suffer from but getting a handle on the economics of spamming has never been easy. A group of researchers has changed that to some extent by publishing a study [PDF] that looks at the conversion rate of spam emails. While the methods they used were somewhat ethically questionable, the data it provides is quite useful and interesting. In the study, the Storm botnet's "command and control" (C&C) infrastructure was infiltrated in such a way that spam messages sent by Storm worker nodes would point the URLs in the spam at sites controlled by the researchers. By doing this, they could determine how much spam was sent and, more importantly, how much of it was clicked on. While sending spam is not very costly, it clearly does not have a zero cost. This means that—unbelievable though it sometimes seems—people actually do click through spam emails; not only that, they actually make purchases from the sites where they land. The researchers set up fake pharmacy sites—selling male enhancement products amongst other things—that would be reached via the spam links. To protect the spam "victims", a visitor to the site would be allowed to get to the checkout stage before showing a site error. It seems plausible that nearly everyone willing to fill their shopping cart with such products and enter the checkout process is a very likely buyer. In this way, the study could count not only those who followed the links, but also those who were likely to buy. What they found was that of 350 million emails sent—they estimate 82 million actually delivered—ten thousand recipients visited the site for a click-through rate of 0.003%. Of those, 28 users actually tried to check out with products totaling over $2700. The study was run for 26 days, so this could have resulted in roughly $100 per day of revenue. Also of interest were the campaigns that were run to test the propagation of the Storm malware. This is normally done by sending spam that directs users to a website (via a "you have received a postcard" message) and entices them into clicking a link that will download and install the malware. The percentages of click-throughs were slightly higher (0.004-0.006%), but a rather large percentage of those (almost 10%) actually clicked the malware link once they reached the website. The researcher's version would download a benign executable, but the clear implication is that a small, but useful, number of users would actually add themselves to the botnet more-or-less voluntarily. While the study is quick to point out that it represents only one data point, there is some value in extrapolating what the botnet might be able to generate in terms of revenue:
Different campaigns, using different tactics and marketing
different products will undoubtedly produce different outcomes.
Indeed, we caution strongly against researchers using the conversion
rates we have measured for these Storm-based campaigns to
justify assumptions in any other context. At the same time, it
is tempting to speculate on what the numbers we have measured
might mean. We succumb to this temptation below, with the understanding
that few of our speculations can be empirically validated
at this time.
The conclusion is that something on the order of $7000-9500 per day could be generated, which equates to $2.5-3.5 million per year—a tidy sum by any measure. There is some additional speculation that because of the retail cost of sending spam (rumored to be something like $80 per million sent), it only makes sense that the Storm operators and the "pharmacies" are one and the same. The sites used for propagation of the Storm malware have similarities to those used by the shopping sites, which also indicates a close association between the two. The study makes the following, perhaps overly optimistic, argument:
If true, this hypothesis is heartening since it suggests that the
third-party retail market for spam distribution has not grown large
or efficient enough to produce competitive pricing and thus, that
profitable spam campaigns require organizations that can assemble
complete "soup-to-nuts" teams. Put another way, the profit margin
for spam (at least for this one pharmacy campaign) may be meager enough
that spammers must be sensitive to the details of how
their campaigns are run and are economically susceptible to new
defenses.
The full paper is well worth a read for those interested in botnets or spam, but there are some ethical questions to consider as well. Is it reasonable to use other people's computers for your research without their consent? There is no easy answer to that question. The researchers outline their argument, which boils down to "we strictly reduce harm". Because they are just intercepting and modifying orders that are already being sent to workers, their research did not increase the amount of spam sent, nor did it increase the work that others' computers would do. Since the spam that they arrange to be sent is harmless—at least in terms of selling bogus medicine or propagating malware—they have actually reduced the number of harmful spams sent. While their arguments seem at least well-thought-out, it is not something that would be fun to try to explain to a judge bent on enforcing some of the poorly-thought-out computer crime statutes. The researchers seem confident that their methods will pass muster, though: "We have been careful to design experiments that we believe are both consistent with current U.S. legal doctrine and are fundamentally ethical as well." It is difficult to see how this kind of data could be gathered without co-opting Storm or another spam-sending botnet. From that standpoint, the researchers took the only path they could, but they certainly appear to have considered the legal and ethical landscape. While there may be a tendency to overestimate how widely applicable the data is—which the authors warn against—it does provide a nice look under the covers of the botnets delivering spam to one's inbox daily. (Log in to post comments)
Storm botnet used to study spam Posted Nov 13, 2008 2:38 UTC (Thu) by paravoid (subscriber, #32869) [Link]
While you do link to the study itself, I think that it would be more polite if you included the names of the researchers in the article.
Storm botnet used to study spam Posted Nov 13, 2008 14:39 UTC (Thu) by jake (editor, #205) [Link]
> While you do link to the study itself, I think that it would be more
> polite if you included the names of the researchers in the article.
I probably should have. There were seven of them, so it made it somewhat daunting, but your point is a good one.
jake
Storm botnet used to study spam Posted Nov 13, 2008 7:59 UTC (Thu) by ekj (guest, #1524) [Link]
Actually, it's not reasonable to assume that everyone "entering the checkout-process" is a real buyer.
I've been known to not only enter, but even complete registration or checkout on obvious spammer-sites and phisher-sites, filling their forms with complete garbage.
So even -completing- the checkout-process is likely to overcount the number of real customers. At the very least, they should check if the person is willing to give them a real credit-card-number. (yeah, I know, there's ethical dilemmas in that, even if they don't actually charge anything)
Storm botnet used to study spam Posted Nov 13, 2008 12:12 UTC (Thu) by ajb (subscriber, #9694) [Link]
Huh, I wonder if the credit card companies could actually issue *real* credit card numbers for people to enter into suspicious sites, to help them trace the perps. Of course, one would have to work out exactly what should happen if someone enters one on a legitimate site.
Storm botnet used to study spam Posted Nov 13, 2008 17:23 UTC (Thu) by dankamongmen (subscriber, #35141) [Link] Huh, I wonder if the credit card companies could actually issue *real* credit card numbers for people to enter into suspicious sites, to help them trace the perps.According to various speakers I've seen here at the GTISC, this precise activity goes down every day.
Prizes for users Posted Nov 16, 2008 4:00 UTC (Sun) by dmarti (subscriber, #11625) [Link] ...and you could reward the users who help you catch a spammer with _real_ Viagra, donated by Pfizer's marketing dept., which also wants to shut down distribution of the fake stuff. (now let's see if I have enough juice on LWN to post a comment containing the V-word.)
Prizes for users Posted Nov 16, 2008 19:06 UTC (Sun) by ris (editor, #5) [Link]
> ...and you could reward the users who help you catch a spammer with _real_ > Viagra
Doesn't seem like an incentive to me, nor many users that I know.
Rebecca
Storm botnet used to study spam Posted Nov 13, 2008 12:54 UTC (Thu) by etienne_lorrain@yahoo.fr (guest, #38022) [Link]
> 28 users actually tried to check out with products totaling over $2700
Well, is the purpose of the "pharmacy" to sell something or to get a valid card number to generate a bogus transaction?
Storm botnet used to study spam Posted Nov 16, 2008 13:52 UTC (Sun) by JohnNilsson (guest, #41242) [Link]
The argument that they "strictly reduces harm" is wrong though.
The harms with theese spams are two that I can see:
By providing a harmles executalbe this harm is indeed reduced.
2. Your inbox is targeted with mails you don't want to read, and have now
By just altering the links in the spam the resarches haven't reduced this
They have incurred some harm though.
We'll have to assume that the persons who _DO_ want to buy the products
By altering the content of the mails the researchers has harmed the
|
|||||||||||||