Looking for cheap handbags, a knockoff Rolex or Canadian Viagra? Perhaps your reputation for honesty has attracted the attention of a wealthy Nigerian who needs your help transferring funds out of the country?
Odds are your e-mail account is brimming with such opportunities. On any given day, as much as 45 per cent to 75 per cent of the world’s inbound e-mail is classified as spam, according to various studies.
The few, naive folks who fall for spam solicitations are enough to fuel a multimillion-dollar business.
Seriously, does anyone actually respond to these often misspelled solicitations? Is there actually money being made by someone out there?
The answer is yes, and lots of it.
“When asked why he robbed banks, Willie Sutton famously responded, ‘Because that’s where the money is,’” wrote researchers at the University of California, San Diego, and the International Computer Science Institute at Berkeley in a study of spam-based advertising. “The same premise is frequently used to explain the plethora of unwanted spam that fills our inboxes, pollutes our search results and infests our social networks – spammers spam because they can make money at it.”
Over the course of two studies, the researchers delved into all manner of spam – e-mail, blog, Twitter, Facebook, forums and comment sections.
Prior estimates, they say, have been no more than “guesstimates,” ranging from $2-million per spam botnet (a mother ship of sorts for the swarm of virus-infected, hijacked computers used to do the dirty work of distributing spam) to very little money at all.
One often-cited claim, by the Russian Association of Electronic Communication, was that spammers earned roughly $125-million in 2009, a number assumed to have continued climbing. In the U.S., written Congressional testimony by AT&T’s chief security officer said cybercrime reaps “more than $1-trillion annually in illicit profits,” a figure skeptics pointed out would be well in excess of the entire software industry.
ICSI says that although the “security community is awash in the technical detail of new threats” it has been deficient in analyzing the economics. And so, with a feat of hacking jujitsu, the researchers in 2008 wormed their way into a botnet, an endpoint for a swarm of infected computers used to do the dirty work of spam. As they explain in the ensuing study, they “infiltrated its command and control infrastructure parasitically.” A URL crawler was used to follow the embedded links contained in real-time feeds of email spam. These efforts were integrated into a related study released last year.
What they discovered confirms the value of that age-old sales mantra, “volume, volume, volume.”
In the world of direct mail – the old-fashioned kind delivered to your mailbox – even a response rate of 1 per cent might be considered a success based on the volume sent and the revenue potential of each reply. The industry average is about 2.5 per cent, according to the U.S. Postal Service.
A slightly lower benchmark for response rates, 2.15 per cent, is offered by the Direct Mail Association. That trade organization says the cost to address, produce and deliver traditional mail campaigns to a thousand targets (the cost per mille, or CPM), rages from $250 to 1,000. It might cost, for example, $250,000 to send out a million solicitations, leading to 21,500 responses at a cost of $12 per prospect.
The cost of an e-mail campaign, however, is minuscule, and even a tiny yield of prospects can prove cost effective. As a bonus, the Storm botnet studied is a peer-to-peer botnet that propagates via spam (users are directed to a link that attacks with an executable program). The more spam sent, the more profits reaped.
The spambot surveillance found that, as many would suspect, pharmaceuticals and counterfeit software are common solicitations. Many of the drugs being offered fall into the category of “male enhancement”; a slate of more than 60 erectile dysfunction medications constituted 62 per cent of the underground marketplace. A broader inventory of 289 products included supposed anti-cancer drugs and asthma medication.
Five companies made up two-thirds of all sites advertised in the roughly 350 million distinct pharmaceutical spam URLS observed over three months in 2010. Three software companies dominated that market niche. Many in both fields tend to operate through affiliates who are paid on a commission basis (typically 40 per cent to 50 per cent of sales). Visa proved to be the “dominant payment method,” the study says, adding that “few accept MasterCard and even fewer still process American Express.”
The illicit server researchers glommed onto was pumping out nearly 1.7 trillion e-mails a year. Even with only about 30 per cent ever reaching an actual reader, the odds of finding a rube were pretty darn good. They concluded that a spamming botnet of the level they researched could earn its owners about $7,000 to $9,500 a day.
Those estimates are admittedly drawn from a small (1.5 per cent) fraction of the Storm network. After 26 days and almost 350 million e-mails, only 28 sales resulted, a conversion rate well under 0.00001 per cent. All but one sale was related to male enhancement products, and the average purchase price was around $100.
Assuming this sliver of the botnet universe is in line with the larger efforts of the botnet, a conservative estimate of revenue – which doesn’t even factor repeat sales – is $3.5-million a year. Self propagation adds 3,500 to 8,500 zombie computers to the cause each day.
In a spam-for-hire context, an enterprise of this sort would be offered to, for example, a disreputable drug reseller for a fee of between $100 to $500 per million e-mails sent. Power users might expect a bulk discount, perhaps 100 million e-mails per day for $10,000 per month.
Monthly spam statistics compiled by M86 Security Labs – a provider of malware prevention and content security products acquired last week by network and data security company Trustwave) – shows the current spam categories topping the charts: Pharmaceuticals accounted for 48.5 per cent of pitches, according to its survey of intercepted spam during the week ending March 18. It was followed by dating (23 per cent), replica retail products such as watches (19 per cent), diplomas (0.59 per cent), gambling (0.48 per cent), software (0.09 per cent) and finance (0.08 per cent). Even lower, surprisingly, was “adult” material, with a mere 0.04 per cent share.
India was the leader in terms of volume of spam originating from a country. It was followed by Indonesia, Russia, Vietnam and Pakistan.