05:50 PM

Spam Campaigns Work, But Don't Generate Big Profits

University study says botnet-borne spam is effective, but profits are likely marginal

It's a question all computer users ask from time to time, as we delete yet another advertisement that has squeaked past our spam filters:

Does anybody really buy this stuff?

A group of California university researchers last week published a research paper that attempts to answer this very question. In a detailed study on spam conversion rates (PDF), the researchers tested the ability of the well-known Storm botnet to deliver advertisements and "convert" the recipients into paying customers.

The researchers found that, yes, there are people who buy products from spam ads, and, yes, it is possible to make money from spam campaigns. But they also found that the potential profit from a successful campaign may not be nearly as high as some pundits have speculated.

In a series of experiments, the researchers set out to determine just how much money could be made by sending spam. Their first problem was overcoming the ethical question of how to do a spam study without actually adding to the huge volume of spam on the Web -- or actually selling an illegal product.

That's why researchers decided to infiltrate Storm. "[We] convinced it to modify a subset of the spam it already sends, thereby directing any interested recipients to servers under our control, rather than those belonging to the spammer," the paper says. "In turn, our servers presented Websites mimicking those actually hosted by the spammer, but 'defanged' to remove functionality that would compromise the victim's system."

Using this approach, the researchers documented three spam campaigns comprising more than 469 million email messages. They determined how much of the spam is successfully delivered, how much is filtered by antispam tools, and how many users clicked through to the advertised site. They also set up processes for the illegal sale of pharmaceuticals and the download of malware, creating errors at the very end of the process so that no final sales could be completed and no malware was actually distributed.

Having infiltrated Storm and set up three ethical experiments, the researchers measured the results. The first test was an online pharmacy that offered several different kinds of drugs. In this test, the researchers observed the transmission of nearly 350 million spam messages. They estimate that approximately 24 percent (more than 82 million) reached the mail systems of the recipients, though they could not tell how many actually reached the destination mailbox.

Of the delivered messages, about 10,500 resulted in a user clicking over to the destination Website, the paper says. Only 28 users went through the process required to purchase a drug; all but one of the sales were for a male enhancement product. The average sale was about $100.

Extrapolating the results mathematically, the researchers estimate that a pharmaceutical spammer using the full bandwidth of the Storm botnet for a single campaign might hope to make between $7,000 and $9,500 per day, or about $3.5 million a year. If the revenue was split between the spammer and the botnet operator, the income would be significantly lower for each. "This number could be higher if spam-advertised pharmacies experience repeat business -- a bit less than the 'millions of dollars every day' [estimated by some experts], but still a healthy business," the study says.

However, the researchers also extrapolated possible costs associated with maintaining the botnet and executing the campaign, estimating that the retail cost of sending 350 million email messages would be more than $25,000. This suggests that renting a botnet may not be a very profitable pursuit, and that the operators of Storm may actually be doing much of the spamming themselves, the paper postulates.

Experiments with sending "postcard" spam and malware yielded similar results in delivery -- about 25 percent reached the target email system -- and slightly higher percentages of click-through. The postcard "attack" was sent to nearly 84 million addresses and successfully "infected" 316 recipients. The malware attack was sent to approximately 40 million addresses and infected 225.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.