Illegal Spam Firms Run Like Legitimate Businesses

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.,

Spam operations are run like legal business enterprises and rely on banks’ merchant services to function

Cyber-criminals are running their malware and spam operations like a business, security researchers said.

The nature of cyber-crime has changed from a few years ago. Cyber-criminals often have ties to organised crime and are not just script kiddies messing around in the basement. The evolution means the criminal enterprise has similar infrastructure requirements and business concerns as a legitimate company, according to Derek Manky, a threat researcher at Fortinet.

Staffing And Payroll Issues

A “crimeware syndicate” relies on a team of “employees”, such as affiliate partners and ground-level forces who push malware onto unsuspecting victims, according to Manky. The syndicate also has to manage the money coming in, the amount of malware distributed and meeting payroll, Mankey found.

A recent research paper, presented at the IEEE Symposium on Security and Privacy in California, highlighted another aspect of the cyber-criminals’ business. Instead of focusing on how spam is distributed, the researchers decided to “follow the money” for global spam.

“While most attention focuses on the problem of spam delivery, the email vector itself comprises only the visible portion of a large, multifaceted business enterprise,” the researchers wrote.

The spam “business” actually has many other parts beyond the botnets that flood user in-boxes with spam messages. Attackers have to also consider domain registration, name server provisioning, hosting services and proxy services to prepare the attack portal.

Spammers also process orders, as the majority of spam advertises some kind of product, whether it is cheap pharmaceuticals, illegal copies of software or other counterfeits. Just like any other e-commerce operation, the spammer requires “payment processing, merchant bank accounts, customer service and order fulfilment”, according to the paper.

Specialised And Focused On 13 Banks

Based on three months of real spam data, researchers found that 13 banks were used to process 95 percent of the orders placed via spam messages. They also found that the spammers in the study fulfilled orders from 13 suppliers in four countries, suggesting a level of specialisation among criminals. Suppliers in Massachusetts, Utah and Washington specialised in herbal products and, in West Virginia and India, it was pharmaceuticals. Other suppliers were from China and New Zealand, the researcher found.

Researchers studied spam collected from captured botnets, spam feeds and URLs advertised in messages. Each message was categorised as counterfeit software, fake luxury goods or pharmaceuticals. Researchers also made more than 100 purchases from spammers to gather data about the payment and fulfilment side of their moneymaking operations.

“These 100 purchases were not a random sample – they were performed to maximise the number of different programmes that we purchased from,” Chris Kanich, a doctoral student in the University of California at San Diego computer science and engineering department and an author of the paper, said on security site Schneier on Security. Researchers carefully picked those 100 sites “after extensive clustering of tens of millions of domains received in hundreds of millions of different spam messages”, Kanich said.

Researchers received transaction information for about three-quarters of the orders which is when they found that nearly 95 percent of them were processed by 13 banks.

“Go After The Banks”

The only bank in the United States that researchers came across was Wells Fargo. Most of the transactions were concentrated among three banks, the Azerigazbank in Azerbaijan, DnB NOR in Latvia and St Kitts-Nevis-Anguilla National Bank in the West Indies, the report found.

“Most herbal and replica purchases cleared through the same bank in St Kitts… while most pharmaceutical affiliate programmes used two banks (in Azerbaijan and Latvia), and software was handled entirely by two banks (in Latvia and Russia),” researchers wrote.

“This points to a fruitful avenue to reduce spam: go after the banks,” security expert Bruce Schneier said. If spammers do not have access to merchant services from the financial institution, then they cannot finance their operations.

Apparently, even spammers are leery of running afoul of Visa’s rules. Researchers found that all software orders and 85 percent of pharmaceutical orders used the correct Merchant Category Code to identify what was being sold.

“A key reason for this may be the substantial fines imposed by Visa on acquirers when miscoded merchant accounts are discovered ‘laundering’ high-risk goods,” said the researchers.

Fifteen researchers from University of California at Berkeley, University of California at San Diego, the International Computer Science Institute and the Budapest University of Technology and Economics collaborated on the paper.