Spam Campaigns Work, But Don't Generate Big Profits

University study says botnet-borne spam is effective, but profits are likely marginal

It's a question all computer users ask from time to time, as we delete yet another advertisement that has squeaked past our spam filters:

Does anybody really buy this stuff?

A group of California university researchers last week published a research paper that attempts to answer this very question. In a detailed study on spam conversion rates (PDF), the researchers tested the ability of the well-known Storm botnet to deliver advertisements and "convert" the recipients into paying customers.

The researchers found that, yes, there are people who buy products from spam ads, and, yes, it is possible to make money from spam campaigns. But they also found that the potential profit from a successful campaign may not be nearly as high as some pundits have speculated.

In a series of experiments, the researchers set out to determine just how much money could be made by sending spam. Their first problem was overcoming the ethical question of how to do a spam study without actually adding to the huge volume of spam on the Web -- or actually selling an illegal product.

That's why researchers decided to infiltrate Storm. "[We] convinced it to modify a subset of the spam it already sends, thereby directing any interested recipients to servers under our control, rather than those belonging to the spammer," the paper says. "In turn, our servers presented Websites mimicking those actually hosted by the spammer, but 'defanged' to remove functionality that would compromise the victim's system."

Using this approach, the researchers documented three spam campaigns comprising more than 469 million email messages. They determined how much of the spam is successfully delivered, how much is filtered by antispam tools, and how many users clicked through to the advertised site. They also set up processes for the illegal sale of pharmaceuticals and the download of malware, creating errors at the very end of the process so that no final sales could be completed and no malware was actually distributed.

Having infiltrated Storm and set up three ethical experiments, the researchers measured the results. The first test was an online pharmacy that offered several different kinds of drugs. In this test, the researchers observed the transmission of nearly 350 million spam messages. They estimate that approximately 24 percent (more than 82 million) reached the mail systems of the recipients, though they could not tell how many actually reached the destination mailbox.

Of the delivered messages, about 10,500 resulted in a user clicking over to the destination Website, the paper says. Only 28 users went through the process required to purchase a drug; all but one of the sales were for a male enhancement product. The average sale was about $100.

Extrapolating the results mathematically, the researchers estimate that a pharmaceutical spammer using the full bandwidth of the Storm botnet for a single campaign might hope to make between $7,000 and $9,500 per day, or about $3.5 million a year. If the revenue was split between the spammer and the botnet operator, the income would be significantly lower for each. "This number could be higher if spam-advertised pharmacies experience repeat business -- a bit less than the 'millions of dollars every day' [estimated by some experts], but still a healthy business," the study says.

However, the researchers also extrapolated possible costs associated with maintaining the botnet and executing the campaign, estimating that the retail cost of sending 350 million email messages would be more than $25,000. This suggests that renting a botnet may not be a very profitable pursuit, and that the operators of Storm may actually be doing much of the spamming themselves, the paper postulates.

Experiments with sending "postcard" spam and malware yielded similar results in delivery -- about 25 percent reached the target email system -- and slightly higher percentages of click-through. The postcard "attack" was sent to nearly 84 million addresses and successfully "infected" 316 recipients. The malware attack was sent to approximately 40 million addresses and infected 225.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-04-23
The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel before 5.0.8 has multiple race conditions.
PUBLISHED: 2019-04-23
The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hu...
PUBLISHED: 2019-04-23
Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent.
PUBLISHED: 2019-04-23
Google TensorFlow 1.7 and below is affected by: Buffer Overflow. The impact is: execute arbitrary code (local).
PUBLISHED: 2019-04-23
VVX products using UCS software version 5.8.0 and earlier with Better Together over Ethernet Connector (BToE) application version 3.8.0 and earlier uses hard-coded credentials to establish a connection between the host application and device.