Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Spam Campaigns Work, But Don't Generate Big Profits

University study says botnet-borne spam is effective, but profits are likely marginal

It's a question all computer users ask from time to time, as we delete yet another advertisement that has squeaked past our spam filters:

Does anybody really buy this stuff?

A group of California university researchers last week published a research paper that attempts to answer this very question. In a detailed study on spam conversion rates (PDF), the researchers tested the ability of the well-known Storm botnet to deliver advertisements and "convert" the recipients into paying customers.

The researchers found that, yes, there are people who buy products from spam ads, and, yes, it is possible to make money from spam campaigns. But they also found that the potential profit from a successful campaign may not be nearly as high as some pundits have speculated.

In a series of experiments, the researchers set out to determine just how much money could be made by sending spam. Their first problem was overcoming the ethical question of how to do a spam study without actually adding to the huge volume of spam on the Web -- or actually selling an illegal product.

That's why researchers decided to infiltrate Storm. "[We] convinced it to modify a subset of the spam it already sends, thereby directing any interested recipients to servers under our control, rather than those belonging to the spammer," the paper says. "In turn, our servers presented Websites mimicking those actually hosted by the spammer, but 'defanged' to remove functionality that would compromise the victim's system."

Using this approach, the researchers documented three spam campaigns comprising more than 469 million email messages. They determined how much of the spam is successfully delivered, how much is filtered by antispam tools, and how many users clicked through to the advertised site. They also set up processes for the illegal sale of pharmaceuticals and the download of malware, creating errors at the very end of the process so that no final sales could be completed and no malware was actually distributed.

Having infiltrated Storm and set up three ethical experiments, the researchers measured the results. The first test was an online pharmacy that offered several different kinds of drugs. In this test, the researchers observed the transmission of nearly 350 million spam messages. They estimate that approximately 24 percent (more than 82 million) reached the mail systems of the recipients, though they could not tell how many actually reached the destination mailbox.

Of the delivered messages, about 10,500 resulted in a user clicking over to the destination Website, the paper says. Only 28 users went through the process required to purchase a drug; all but one of the sales were for a male enhancement product. The average sale was about $100.

Extrapolating the results mathematically, the researchers estimate that a pharmaceutical spammer using the full bandwidth of the Storm botnet for a single campaign might hope to make between $7,000 and $9,500 per day, or about $3.5 million a year. If the revenue was split between the spammer and the botnet operator, the income would be significantly lower for each. "This number could be higher if spam-advertised pharmacies experience repeat business -- a bit less than the 'millions of dollars every day' [estimated by some experts], but still a healthy business," the study says.

However, the researchers also extrapolated possible costs associated with maintaining the botnet and executing the campaign, estimating that the retail cost of sending 350 million email messages would be more than $25,000. This suggests that renting a botnet may not be a very profitable pursuit, and that the operators of Storm may actually be doing much of the spamming themselves, the paper postulates.

Experiments with sending "postcard" spam and malware yielded similar results in delivery -- about 25 percent reached the target email system -- and slightly higher percentages of click-through. The postcard "attack" was sent to nearly 84 million addresses and successfully "infected" 316 recipients. The malware attack was sent to approximately 40 million addresses and infected 225.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-22
The freshmail-newsletter plugin before 1.6 for WordPress has shortcode.php SQL Injection via the 'FM_form id=' substring.
PUBLISHED: 2019-10-22
The ad-inserter plugin before 1.5.3 for WordPress has CSRF with resultant XSS via wp-admin/options-general.php?page=ad-inserter.php.
PUBLISHED: 2019-10-22
The wps-hide-login plugin before 1.1 for WordPress has CSRF that affects saving an option value.
PUBLISHED: 2019-10-22
The Showbiz Pro plugin through 1.7.1 for WordPress has PHP code execution by uploading a .php file within a ZIP archive.
PUBLISHED: 2019-10-22
The Exquisite Ultimate Newspaper theme 1.3.3 for WordPress has XSS via the anchor identifier to assets/js/jquery.foundation.plugins.js.