Spammers Require Banks, Suppliers, Staff to Run Illegal Trade: Researchers

Researchers analyzing spam operations found that they are run like any other business, albeit an illegal one, and rely on banks' merchant services to function.

Cyber-criminals are running their malware and spam operations like a business, security researchers said.

The nature of cyber-crime has changed from a few years ago. Cyber-criminals often have ties to organized crime and are not just script kiddies messing around in the basement. The evolution means the criminal enterprise has similar infrastructure requirements and business concerns as a legitimate company, according to Derek Manky, a threat researcher at Fortinet.

A "crimeware syndicate" relies on a team of "employees," such as affiliate partners and ground-level forces who push malware onto unsuspecting victims, according to Manky. The syndicate also has to manage the money coming in, the amount of malware distributed and meeting payroll, Mankey found.

A recent research paper presented at the IEEE Symposium on Security and Privacy in Oakland, Calif., highlighted another aspect of the cyber-criminals' business. Instead of focusing on how spam is distributed, the researchers decided to "follow the money" for global spam.

"While most attention focuses on the problem of spam delivery, the email vector itself comprises only the visible portion of a large, multifaceted business enterprise," the researchers wrote.

The spam "business" actually has many other parts beyond the botnets that flood user in-boxes with spam messages. Attackers have to also consider domain registration, name server provisioning, hosting services and proxy services to prepare the attack portal.

Spammers also process orders, as the majority of spam advertises some kind of product, whether it's cheap pharmaceuticals, illegal copies of software or other counterfeits. Just like any other e-commerce operation, the spammer requires "payment processing, merchant bank accounts, customer service and order fulfillment," according to the paper.

Based on three months of real spam data, researchers found that 13 banks were used to process 95 percent of the orders placed via spam messages. They also found that the spammers in the study fulfilled orders from 13 suppliers in four countries, suggesting a level of specialization among criminals.

Suppliers in Massachusetts, Utah and Washington specialized in herbal products, and in West Virginia and India, it was pharmaceuticals. Other suppliers were from China and New Zealand, the researcher found.

Researchers studied spam collected from captured botnets, spam feeds and URLs advertised in messages. Each message was categorized as counterfeit software, fake luxury goods or pharmaceuticals. Researchers also made more than 100 purchases from spammers to gather data about the payment and fulfillment side of their moneymaking operations.

"These 100 purchases were not a random sample-they were performed to maximize the number of different programs that we purchased from," Chris Kanich, a doctoral student in the University of California at San Diego computer science and engineering department and an author of the paper, said on security site Schneier on Security. Researchers carefully picked those 100 sites "after extensive clustering of tens of millions of domains received in hundreds of millions of different spam messages," Kanich said.

Researchers received transaction information for about three-quarters of the orders and found that nearly 95 percent of them were processed by 13 banks. The only bank in the United States that researchers came across was Wells Fargo. Most of the transactions were concentrated among three banks, the Azerigazbank in Azerbaijan, DnB NOR in Latvia and St. Kitts-Nevis-Anguilla National Bank in the Caribbean, the report found.

"Most herbal and replica purchases cleared through the same bank in St. Kitts ... while most pharmaceutical affiliate programs used two banks (in Azerbaijan and Latvia), and software was handled entirely by two banks (in Latvia and Russia)," researchers wrote.

"This points to a fruitful avenue to reduce spam: go after the banks," security expertBruce Schneier said. If spammers don't have access to merchant services from the financial institution, then they can't finance their operations.

Apparently, even spammers are leery of running afoul of Visa's rules. Researchers found that all software orders and 85 percent of pharmaceutical orders used the correct "Merchant Category Code" to identify what was being sold.

"A key reason for this may be the substantial fines imposed by Visa on acquirers when miscoded merchant accounts are discovered 'laundering' high-risk goods," said the researchers.

Fifteen researchers from University of California at Berkeley, University of California at San Diego, the International Computer Science Institute and the Budapest University of Technology and Economics collaborated on the paper.