Researchers analyzing spam operations found that they
are run like any other business, albeit an illegal one, and rely on banks' merchant services to function.
Cyber-criminals are running
their malware and spam operations like a business, security researchers said.
The nature of cyber-crime
has changed from a few years ago. Cyber-criminals often have ties to organized
crime and are not just script kiddies messing around in the basement. The
evolution means the criminal enterprise has similar infrastructure requirements
and business concerns as a legitimate company, according to Derek Manky, a
threat researcher at Fortinet.
A "crimeware syndicate"
relies on a team of "employees," such as affiliate partners and ground-level
forces who push malware onto unsuspecting victims, according to Manky. The
syndicate also has to manage the money coming in, the amount of malware
distributed and meeting payroll, Mankey found.
A recent research paper
presented at the IEEE
Symposium on Security and Privacy
in Oakland, Calif., highlighted another
aspect of the cyber-criminals' business. Instead of focusing on how spam is
distributed, the researchers decided to "follow the money" for global spam.
"While most attention
focuses on the problem of spam delivery, the email vector itself comprises only
the visible portion of a large, multifaceted business enterprise," the
The spam "business" actually
has many other parts beyond the botnets that flood user in-boxes with spam
messages. Attackers have to also consider domain registration, name server
provisioning, hosting services and proxy services to prepare the attack portal.
Spammers also process
orders, as the majority of spam advertises some kind of product, whether it's
cheap pharmaceuticals, illegal copies of software or other counterfeits. Just
like any other e-commerce operation, the spammer requires "payment processing,
merchant bank accounts, customer service and order fulfillment," according to
Based on three months of
real spam data, researchers found that 13 banks were used to process 95 percent
of the orders placed via spam messages. They also found that the spammers in
the study fulfilled orders from 13 suppliers in four countries, suggesting a
level of specialization among criminals.
Suppliers in Massachusetts,
Utah and Washington specialized in herbal products, and in West Virginia and
India, it was pharmaceuticals. Other suppliers were from China and New Zealand,
the researcher found.
Researchers studied spam
collected from captured botnets, spam feeds and URLs advertised in messages.
Each message was categorized as counterfeit software, fake luxury goods or
pharmaceuticals. Researchers also made more than 100 purchases from spammers to
gather data about the payment and fulfillment side of their moneymaking
"These 100 purchases were
not a random sample-they were performed to maximize the number of different
programs that we purchased from," Chris Kanich, a doctoral student in the University
of California at San Diego computer science and engineering department and an
author of the paper, said on security site Schneier on Security. Researchers
carefully picked those 100 sites "after extensive clustering of tens of
millions of domains received in hundreds of millions of different spam
messages," Kanich said.
transaction information for about three-quarters of the orders and found that
nearly 95 percent of them were processed by 13 banks. The only bank in the
United States that researchers came across was Wells Fargo. Most of the transactions
were concentrated among three banks, the Azerigazbank in Azerbaijan, DnB NOR in
Latvia and St. Kitts-Nevis-Anguilla National Bank in the Caribbean, the report
"Most herbal and
replica purchases cleared through the same bank in St. Kitts ... while most
pharmaceutical affiliate programs used two banks (in Azerbaijan and Latvia),
and software was handled entirely by two banks (in Latvia and Russia),"
"This points to a fruitful
avenue to reduce spam: go after the banks," security expert
said. If spammers don't have access to merchant services
from the financial institution, then they can't finance their operations.
Apparently, even spammers
are leery of running afoul of Visa's rules. Researchers found that all software
orders and 85 percent of pharmaceutical orders used the correct "Merchant
Category Code" to identify what was being sold.
"A key reason for this
may be the substantial fines imposed by Visa on acquirers when miscoded
merchant accounts are discovered 'laundering' high-risk goods," said the
Fifteen researchers from
University of California at Berkeley, University of California at San Diego,
the International Computer Science Institute and the Budapest University of
Technology and Economics collaborated on the paper.