When Microsoft slayed the notorious botnet Rustock, which had been sending as much as 40 percent of all spam worldwide, in March 2011, it forced the volume of spam into a decline from which it has never fully recovered.
But while spammers lost a major weapon in their arsenal with the Rustock seizure, they have proven adept at changing their tactics. In the last few years, security experts say, spammers have embraced more sophisticated means of tricking users into following links. They have also followed users from email onto social networks.
At its peak in late 2008, spam accounted for more than 90 percent of all email sent in the world, with more than 5 trillion spam messages sent each week. In 2011, spam accounted for about 75 percent of email with roughly 294 billion messages a week, according to Symantec’s 2011 Internet Security Threat Report.
Spammers have seen their incomes fall since boom times, but the major players can still make a million dollars a year from each major advertising client, according to Stefan Savage, a University of California San Diego computer scientist whose research into pharmaceutical spam has provided some of the most concrete information available about the underground spam economy.
Of course, in the spam world, as in the real world, not everybody is a big dog.
“There are a small number of people who make a lot of money and then it drops off precipitously,” said Savage.
The money lining spammers’ pockets comes from average people who give in to the temptation to buy cut-rate Viagra, or a fake Rolex, or perhaps a discounted cancer drug that they can’t afford any other way. In most cases, spam experts say, the suckers receive a product — it may or may not work, but they do get something in the mail. About three quarters of all spam messages promote real products.
A spammer gets a 35-50 percent commission for each purchase made on a website that comes via a custom link that identifies him or her as the source of traffic. The spammer generally commandeers more of the profit than the seller, according to Savage. In order to make such an arrangement, the product must have a high profit margin to begin with, which explains why unlicensed generic drugs, pornography, pirated software and casinos are popular topics of spam email.
To send out his messages, a spammer uses a stockpile of bogus email accounts he and his associates have hacked into or created for the purpose. They might also purchase valid accounts. The going rate, according to Savage’s research, is 1 cent for a Hotmail account and 7 cents for a Gmail account. Spammers organize such transactions on underground forums such as BlackHatWorld, over Internet relay chat, or even on mainstream websites like Freelance.com.
Spammers also often purchase lists of would-be recipients’ email addresses. Cybercriminals gather these addresses using key logging software on infected computers or by scraping them out of a compromised database on another website. They may download PDFs that contain addresses and pay lackeys to enter them into a database. A tried and true technique involves crawling the Web in search of email addresses. The least sophisticated technique is simply to guess: A common name at any domain will probably work, for example.
An A-list spammer likely controls his own botnet using a server called a command-and-control center. If a spammer doesn’t control a botnet, he will have to rent one to fire off his emails.
“Botnets are the ultimate tools of trade in the cyber-crime ecosystem and are capitalized in many ways, but what’s common is the fact that the botmasters always get the lion’s share,” Catalin Cosoi, chief security researcher at BitDefender, said in an email interview.
The same botnet may simultaneously be launching another spam attack or, if the botmaster permits it, distributing malware. Spammers who are willing to tolerate the increased risk of arrest that dealing in malware brings, may load malware programs or links to infectious websites into the same email they are sending with an advertisement.
Researchers don’t often get to peek into spammers’ diffuse and well-hidden operations. A few instances in which they managed to do so suggest that for every 10 million spam emails sent out, more than 7.5 million are rejected at the ISP level. At least 2.45 million are blocked by email systems’ spam filters. (All of the major filters enjoy success rates higher than 98 percent.) Just 50,000 emails reach a user. At best half of those are opened. Roughly 300 people click on a link, and just 55 buy something. A spammer would make more than US$2,000 from those clicks, though. A phenomenal success would consist of getting two percent of the email’s recipients to click on a link.
Volume is so key for commercial email spam that the technique is called “spray and pray,” said Chester Wisniewski, a senior security advisor at Sophos.
Malware gets more attention than commercial spam because it ostensibly causes more damage. But it makes up just 3 percent of all email and largely plays a supporting role to commercial spam. By bringing more computers into the botnet, it provides the firepower to send all those commercial emails.
When Microsoft destroyed Rustock, spammers lost control of a huge network of unknown size (estimates ranged from about 850,000 to more than 2 million infected computers). In the months following the take-down, the percentage of spam emails carrying malware, not including messages that pushed users to links that would deliver it, rose significantly according to Eric Park, an abuse analyst at Symantec. The trend suggested that spammers were endeavoring to regain the firepower they’d lost.
Because malware plays the vital role of “botting” more machines, the spammers devote their craftiest messages to it. Significant innovation has occurred in this area, possibly as a result of increased pressure on the command-and-control centers from law enforcement and companies, including Microsoft, filing civil actions.
Gone are the days of misspellings and amateur graphics. The emails are timely, often alluding to current events. They also cleverly play on human psychology to ensure a click-through to the website that downloads the malware. One email purporting to come from the U.S. Postal Service notifies you of a package sent using a label charged to your credit card. The recipient will want to track down the payment and obtain a refund, but the link simply promises to provide more information.
Spammers are also increasingly using social networks like Facebook and Twitter to drive users to their advertisements. Paul Judge, Barracuda’s chief research officer, said the reason was simply “more eyeballs.”
Say a spammer has the maximum of 5,000 friends on Facebook. If he uploads a photo and tags it with the maximum of 50 people, Judge said, he can reach 250,000 people with a single photo and accompanying link — five times more views than result from 10 million email messages.
But in some ways the problem of spam on social networks is more intrinsic than that. The sites’ core function is to bring more people together and to share their opinions. The social networks make it easy to join and easy to share content. In fact, the URL (unique resource locator) shorteners that have sprung up to further ease sharing on social networks have been a boon to spammers because they create multiple links to the same page while concealing the domain name.
Spammers have created an account — and Judge cited estimates that as many as 30 percent of Facebook accounts are fakes that belong to spammers — they can buy a Twitter follower for 2 cents, a Facebook friend for 3 cents or a “like” for 4 cents. Facebook accounts are also not infrequently hacked, allowing the spammer to fabricate a public recommendation of his product from the account holder.
According to Chris Grier, a computer scientist at the University of California at Berkeley who researches spam on social networks, the number of social spammers continues to grow, suggesting that they are making money.
The new cohort of spammers is not yet established enough to run their operations on botnets, said Grier. But security companies have seen some botnets repurposed to run this kind of spam. Malware is relatively rare, largely because the social networks take more aggressive action against it than they do commercial spam.
Experts say social networking sites are already getting more serious about spam. Facebook recently announced a partnership with several security companies that would give users access to free antivirus software for six months. And Twitter recently brought legal action against commercial spammers on its platform.
The evolution is a familiar one. Web email providers like Hotmail were initially hostile to security companies’ overtures to help with spam, said Wisniewski of Sophos. But when the problem began to hurt their bottom line, they began working opening up to the companies. He expects Facebook and Twitter will act more and more aggressively against spam if it begins to drive users away.
But Grier offered the flip side of the comparison to email spam.
“As the defenses get better, we’ll see more sophisticated tools. We’ll see the same sort of evolution on social networks” that we did on email.
Which means users could be in for a long ride.
Cameron Scott covers search, web services and privacy for The IDG News Service. Follow Cameron on Twitter at CScott_IDG.