Spam or Scam: How Do They Make Money?

November 14, 2008

Spam messages touting everything from enhanced sexual performance to stock tips clog our daily in-boxes. Current estimates are that over 120 billion spam messages are now sent each day. Some, like the Nigerian money scam, even promise millions just a few clicks away. Ever wonder how these companies stay in business if everyone knows they are scams? A recent empirical study determined that, while almost everyone ignores such obvious spam messages, it only takes an extremely minute percentage of suckers to turn a profit.

Computer scientists at UC Berkeley and UC San Diego recently conducted a unique study of the spamming industry. In order to measure the effectiveness of spamming programs, they in effect went into business as spammers themselves. Setting up a phony pharmaceutical site selling “Viagra” and other male enhancement products, they infiltrated a portion of a worldwide spamming software botnet called “Storm.” Botnets are robotic software distribution networks that spread through captured email programs. “Storm” is a large botnet discovered in early 2007 that has captured an unknown number of PC’s (estimates have ranged from 20,000 to over one million) whose address books are then copied. The researchers were able to insinuate themselves into one small portion of this particular botnet and use it to spread their phony site.

Using the Storm botnet for 26 days, the scientists were able to send out 350,000,000 emails touting their on-line pharmacy. Due to factors such as invalid addresses and blacklists, 82,700,000 emails made it to computers. Spam filters further reduced this number significantly (though harder to measure). Of those emails making it to a person’s in-box, 10,522 users clicked on the link and visited the fake pharmacy. Twenty eight people initiated a purchase averaging $100. At this point, the pharmacy returned an error message, thus preventing the researchers from actually obtaining names and personal credit card information. This came to a daily income of $140 for the campaign. Since the infiltration amounted to only 1.5 percent of the overall Storm network, this translates to a potential revenue of $3.5 million a year for an internet pharmaceutical company using Storm for spam marketing.

In another portion of the study, the researchers used their Storm infiltration to determine how many PC’s they could capture to propagate further spam. They sent out 82 million emails advising recipients that someone had sent them a postcard, which could only be viewed by downloading the “postcard” software. Extrapolating their results, they estimate that Storm self-propagation campaigns can recruit between 3500 and 8500 new computers a day.

Analyzing spam filters and geographical distribution of their results, they concluded that the quality of spam filtering and general anti-spam education were the largest factors driving response rates down. For some reason, American users seemed most susceptible to the postcard scheme, while French users were most susceptible to the male enhancement scheme. Perhaps the French aren’t better lovers after all.