Spamonomics: a business model that can't go wrong

Unsolicited bulk email - spam - costs the world economy more than $25 billion a year and is becoming ever more sophisticated.

by Ron Condon, World Business
Last Updated: 23 Jul 2013

Open up your email inbox in the morning, and you can find yourself in a whole new world of fantastic offers and messages from people you didn't even know you knew. You may find you have won the Spanish lottery without ever buying a ticket. Or there may be a nice man in Liberia who wants to pay you lots of money to help him get his fortune out of the country. Others will be offering super deals on genuine Rolex watches or prescription drugs at low prices.

Then there are the banks that are updating their security and want to reconfirm your details with you. The strange thing is, you cannot recall having an account with Chase or JP Morgan. The Inland Revenue Service (of the US) also writes to inform you that you are entitled to a tax rebate.

All you need to do is fill in a few details. As a citizen of Britain, France or Spain, you may find this an extremely generous offer. And, of course, there are lots of other goodies waiting: the club that knows all the available (and willing) swingers in your area; the sure-fire share tip that will make you a fortune; the low-cost mortgage loan that will help you consolidate your debts.

Just one problem, of course: the messages are all scams and although some of them could just about qualify as email marketing for products that will actually be delivered, most of them are tricks to capture the personal details (and even take control of the computer) of the unwary.

We are talking about spam, unsolicited bulk email that is now reckoned to account for some 80% of all emails flowing over the internet today.

It is a problem that has been growing steadily over the past few years, and despite attempts to stem the tide, shows little sign of subsiding.

The term 'spam' was coined after a Monty Python sketch, where Vikings invade a British cafe, repeatedly demanding 'spam, spam, spam, spam' - a canned meat that at the time was a staple at such establishments. The unwanted messages pouring into your mailbox can have the same relentless feel about them. The internet is virtually free to use, making it the ideal vehicle for anyone with something to sell to a mass market. The population of the internet now exceeds a billion people and an increasing number of them are using broadband - a major factor in helping spam spread the world over.

According to David Stanley, European managing director for anti-spam company Ciphertrust, spam developed originally because it allowed people "to buy things online that they were perhaps too embarrassed to buy in a shop. But as the channel developed, it started to encourage bad behaviour."

Being cheap to use, the internet attracted anyone with a get-rich-quick scheme or dodgy products to shift - the same kind of businesses that fill the small ads in cheap newspapers or those that advertise on minority-interest cable TV channels. But on the internet, the numbers are that much bigger and the cost of doing business is coming down all the time.

Two years ago, if you knew where to look, you could buy the email addresses of 10 million people for $100 and you could hire a bulk emailing company to send out a million messages for $300. Now it is possible to pick up CDs with 10 million addresses for $10 and, according to one recent offer from a bulk emailing company, $499 will now buy you direct access to 41 million people, all of whom, it is claimed, have agreed to receive unsolicited messages.

Depending on what you're selling, therefore, a response rate of 0.001% can still make the exercise worthwhile. And not all spam is unwelcome - if you need Viagra or a cheap loan, then you may welcome the chance to buy discreetly. A recent market survey by security company Sophos found that 9% of people admitted to having bought products marketed via spam.

So the spammers know it is worth carrying on.

Seen in this light, spam could be viewed as merely an extension of direct mail and, as such, a minor nuisance. But the truth is very different.

First, there is the cost: according to the Inter-national Telecommunications Union, spam costs the world economy more than $25 billion a year - a figure made up of the wasted bandwidth carrying the messages and the time and money needed to block or manage it.

Second, the prospect of easy money and a low risk of getting caught have attracted all sorts of criminal elements, from cheap tricksters to organised crime. It means that spam is increasingly concerned with fraud and identity theft, and the methods used are becoming ever more sophisticated.

The rising tide of spam has turned the internet into a battleground.

On one side are the spammers, the bulk emailers, fraudsters and computer virus writers. On the other side, we have the anti-spam companies that produce software to block unwanted email, and a dedicated coterie of individuals who spend their waking hours trying to undermine the activities of spammers.

In his 2005 book Spam Kings, author Brian McWilliams paints a vivid picture of many of the characters involved on both sides of the divide as they struggled for supremacy during the early years of this decade. The spammers are, for the most part, poorly educated people with personality defects and in some cases a taste for ultra-right politics, says McWilliams. The anti-spam crowd are mainly US-based individuals, who have been on the receiving end of spam and don't like it.

He concludes that it is "furtive shoppers" who keep the spammer in business.

"The internet didn't invent plain brown-wrapper deliveries. But spam provides internet users with new levels of anonymous access to the dodgiest of items," he says. "By clicking on a hyperlink in a spam message, consumers can order cable descramblers (to watch paid-for TV channels without charge), 'free' governments grants and fake diplomas. Thanks to junk email, any consumer has access to porn without the inconvenience of having to drive to their nearest adult bookstore. If email had been around during Prohibition, you can bet that spammers would have been selling moonshine."

For a more complete and up-to-date picture of spamming's big hitters, however, you have to visit the website of Spamhaus (www.spamhaus.org), an organisation that relies on donations from industry and individuals to wage its battle against spammers and for tighter regulation of email marketing. Operating from a houseboat on the River Thames near London, Spamhaus acts as a clearing-house for sightings of spam worldwide. It maintains a blacklist of known spammers and that list is used in real-time by many of the leading anti-spam products as a reference for deciding what mail to accept or reject.

Working on the principle of naming and shaming, Spamhaus lists the world's top 200 spammers, which, it says, account for 80% of all spam. The vast majority operate from the US, with others from Russia, Canada, Australia and Israel. This list is known as the Register of Known Spam Operators (ROKSO) and any visitor to the website is able to get full details about each of them, the kind of spam they send out, who they work with and where they operate from.

The 10 spammers with the highest ROKSO ratings get their own hall of fame, and this is where we get a sense of the darker side of the business and the criminal element. For example, the current leader is Alex Blood, aka Alex Polyakov, aka AlekseyB, aka Alexander Mosh from the Ukraine, who is linked to a well-known child porn spam ring, according to Spamhaus. Four others are from Russia, also with links to pornography. Two are from the US and the others are from Israel, Canada and Brazil.

But how can these people continue to operate when they are known and are on the Spamhaus blacklist? The answer is that they have found ways of disguising the origins of their emails and they have found ways of hijacking the PCs of unsuspecting users to help them do their work.

The trick works like this: they send out emails offering recipients a free game or a ringtone for their phone - just click on the website link to download it. When the unsuspecting user does just that, they also receive a secret payload of malicious code that lodges itself on the computer and waits for instructions from the person who sent it. The PC, which will usually have a permanent broadband connection to the internet, has effectively become a robot, capable of being controlled remotely, but without the knowledge of the owner.

All the top spammers specialise in extending their power by taking control of more and more such PCs. Some spammers control hundreds of thousands of robot or zombie machines (also known as 'bots'), which they can then organise as an army of machines (bot network or 'botnet') in order to churn out the massive volumes of email. Because the mails come from millions of different machines, it is far harder for anti-spam companies to block them.

"We are now seeing clear collaboration between different skill sets," says Ciphertrust's Stanley. "The rented zombie networks are more targeted and marketed. The quality of the spam, especially phishing emails (where the message purports to come from a trusted source, such as a bank), is tremendously high now. The landing pages (the false web pages) are well researched and written. It takes a variety of skills to produce the end-to-end operation - the virus, the botnet, the setting of the botnet, the social engineer (who designs the trick), the website, people stealing your details. Then you have the money coming out the back end that needs to be laundered."

Tom Gillis of security products provider IronPort agrees: "It is a colossal industry. About 90% of viruses are written not by malicious kids in the Philippines, but by professional engineers."

In one case last year, a Russian group found a novel way of keeping up its numbers of infected machines by recruiting other website owners to infect visitors to their sites. The group paid 6 cents per infection, a small price to keep their botnet growing.

When it comes to laundering their proceeds, they use spam emails or phoney job websites to recruit what they describe as 'money transfer agents' - people who will receive money into their bank accounts, which they then withdraw as cash and, for a small commission, send overseas, using remittance services such as Western Union or MoneyGram. For many people, it seems like easy money.

Several countries have attempted to frame legislation to stop unsolicited bulk emails. The US Can-Spam Act of 2003 was intended to stem the problem, but many people feel it did too many favours to the email marketing industry.

Spamhaus describes it as "a serious failure of the US government to understand the spam problem" by trying to regulate rather than ban spam. "By signalling to the world that spamming is now legal in the US, the US is inviting a tsunami of spam from Asia. By requiring that American citizens read through and respond to every spam to opt out of ever-more mailings they did not opt in to, we also believe that millions will find their addresses sold on as 'people who read spams' and will find themselves on yet more lists."

The position in Europe and Australia is much tighter, with recipients needing to 'opt in' to receive messages. But the internet is international and, as email management company MessageLabs says in its 2005 Annual Security Report, "spammer operations will further shift towards overseas markets where the legislation is difficult to enforce, or very weak; for example, Russia, China and Eastern Europe".

In any case, police forces have few resources to tackle this global trade; they have far more pressing crimes to solve. And according to Dave Jevans, head of the US-based Anti-Phishing Working Group (APWG), many of the banks are in denial about the effects of phishing attacks. The few successful prosecutions, he says, come when a large company devotes its own resources, lawyers and IT people to tracking down where the money goes and building a case for law enforcement to follow up.

The only real weapon against spam at the moment is anti-spam filters and educating users not to open suspicious emails. Dave Rand, chief technologist at security company Trend Micro, sounds an even more chilling warning.

One of the foundations of security on the internet - whether for e-commerce, trade or military secrets - is the encryption of data. Powerful encryption relies on computers not being fast enough to run through all the possible combinations to crack the code.

But someone with a botnet of several hundred thousand PCs has massive computing power at their disposal. "When you have virtually unlimited computing power, then encryption doesn't matter," says Rand. "To be frank, it scares the crap out of me."

If those controlling botnets spot that hole in the market, we might have to rethink how we use the internet altogether.

A DEFINITION OF SPAM

The word 'spam' as applied to email means Unsolicited Bulk Email (UBE). Unsolicited means that the recipient has not granted verifiable permission for the message to be sent. Bulk means that the message is sent as part of a larger collection of messages, all having substantively identical content. A message is spam only if it is both unsolicited and bulk. Spam is an issue about consent, not content. The content is irrelevant: if the message is sent unsolicited and in bulk, then the message is spam whether it is an advert, a scam, porn, a begging letter or an offer of a free lunch.

Source: Spamhaus.

TOP TYPES OF SPAM
1 Mortgages and loans 21%
2 Pornography 18%
3 Lottery/gambling 16%
4 Gift tokens 16%
5 Medication 12%
Source: Ipswitch.

HOW DO THEY KNOW MY EMAIL ADDRESS?

One of the most common techniques for acquiring email addresses is the 'directory harvest attack' where the spammer tries to guess names in a company. The attacker unleashes a program that sends email messages to thousands of possible addresses for a given domain (asmith@abc.com, bsmith@abc.com, ajones@abc.com and so on). Most addresses will be invalid and the mail server will reject them, but those that are not rejected can be assumed to be valid. Security company Tumbleweed recorded a 170% rise in such attacks between Q1 2005 and Q3 2005.

1. BUY ADDRESSES

Buy a CD with 10 million addresses for $10; pay $499 for direct access to 41 million people, all of whom, it is claimed, have agreed to receive unsolicited messages

2. TAKE CONTROL

Offer a free game or ringtone - just click on the link. When the user does just that, they also receive a secret malicious code, which sits on their computer, waiting for instructions. The PC has effectively become a robot, capable of being controlled remotely

3. BULK EMAILS

Organise your 'bots' into armies of machines (bot networks, or 'botnets') in order to churn out massive volumes of emails. Optional extra: pay unscrupulous website owners to infect visitors to their sites.

4. LAUNDER THE PROCEEDS

Use spam emails or phoney job websites to recruit 'money transfer agents' - people who receive money into their bank accounts, withdraw it as cash and, for a small commission, send overseas, using remittance services such as Western Union or MoneyGram.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Subscribe

Get your essential reading delivered. Subscribe to Management Today