The spam ecosystem.
What’s the News: Every day spammers are thinking up new ways to offer you “vIaGrA,” whether you have any interest or not, and spam filters have a tough time keeping up. Researchers studying what they call the “spam ecosystem” have outlined the processes and services spammers use in committing their nefarious deeds—going as far as to actually buy stuff in order to identify what banks they use—in hopes of finding new bottlenecks where regulators can disrupt spammers’ business model. Their findings? Hit ‘em where it hurts: their bank accounts. How the Heck:
The study, which was presented at IEEE Symposium on Security and Privacy, examines the different levels of infrastructure spammers use, from site hosting to advertising to processing payment. The team collected information about spammers from hundreds of emails, unpicked the elaborate food chains that make the business model possible, and bought goods from some of them (somewhat surprisingly, they actually got most of what they ordered).
It’s not hard for spammers to change their IP addresses or get new domain names once email programs block them, the researchers note. It only takes a few hours, at most, and a few bucks. But there aren’t that many banks willing to do spammers’ dirty business---the study found that 95% of the spammers examined used just three banks: DnB Nord of Latvia, St. Kitts & Nevis Anguilla National Bank and Azerigazbank (Wells Fargo was also implicated). And getting a new account set up can take days and may be difficult once a company’s been banned.
The Future Holds:
Clamping down on spammers’ bank accounts would definitely hamper their efforts. But spammers shunt those who click on their links through a labyrinthine system of IP addresses in different countries (see image above) and have banks based in various places. This would make it difficult to navigate the maze of laws governing spam, especially as not all countries have legislation concerning it.
Instead, the researchers suggest that regulators could cut off spammers’ income by setting restrictions on users’ own cards, which are overwhelmingly based in the United States. Visa and Mastercard, they posit, could automatically refuse to settle any payment to a bank account of a known spammer. While this idea raises a number of issues (civil liberties, for one), the researchers point out that such restrictions already exist to keep people from making some kinds of payments in online gambling.
Reference: K. Levchenko, N. Chachra, B. Enright, M. Félegyházi, C. Grier, T. Halvorson, C. Kanich, C. Kreibich, H. Liu, D. McCoy, A. Pitsillidis, N. Weaver, V. Paxson, G. M. Voelker, and S. Savage. Click Trajectories: End-to-End Analysis of the Spam Value Chain
. Proceedings of IEEE Symposium on Security & Privacy 2011. Image credit: Levchenko et al.