|Click here for more of Dark Reading's Black Hat articles.|
Unethical affiliates are at the root of an inordinate number of ills perpetuated by the Internet's criminal element, acting as facilitators for scam companies selling drug knock-offs and botherders who bombard consumers with spam, according to Bradley Anstis, vice president of technical strategy for M86 Security.
Putting the screws to sketchy affiliate marketers may be one of the most effective means for fighting spam and botnets, Anstis says.
"Security research is going after botnet networks, and they're going after all those sorts of aspects of the cybercrime ecosystem. But affiliate programs can also have a pretty interesting effect on cybercrimes," Antsis says. "We're trying to raise awareness and understanding of affiliate programs so that when the researchers come across a dodgy or an iffy affiliate program, they can have some ideas on how to recognize it as such -- and then some ideas and suggestions as how to go after it."
Antsis has spent the last few years studying botnet networks, spammers and crooked "retail" operations. These bad guys are often tied to a smaller number of affiliate marketers who seem to do the logistical marketing management for scammers who don't know how to do it on their own.
"So [scammers] talk to the affiliate program, and the affiliate program is kind of the go-between organization, a middle-man between the spammers and the actual merchants," Anstis says.
Affiliate programs will design website templates for to hook customers after they click on an enticing spam message or online ad, Antsis explains. Scammers often pay big bucks to run advertising campaigns -- just like any legitimate marketer -- and the affiliate may even handle the order-fulfillment process. For their trouble, affiliates usually get a cut of the sales they generate.
Depending on the clients they represent and how legitimate their product claims are, these spam-happy affiliates sometimes operate just within the bounds of the law.
And sometimes they don't. Within the last few months, the FTC has been working on a multi-state lawsuit sting to punish a cluster of affiliates responsible for the ever-present 'belly fat ads' that have plagued the Internet for the better part of a year now. While the ad and general marketing scheme they use is the same, affiliates crib from one another to save on overhead, Anstis says. They also are pitching a wide range of other scam products, including acai-berry supplements as a diet miracle.
The FTC intervened because the affiliates involved were linking the ads to fake news sites and fake articles to enhance the sales pitch.
"Both the merchant and the affiliate can make money. Here's the problem," Steve Wernikoff, an FTC attorney, told the media in April when the FTC filed 10 lawsuits against affiliates and other firms mixed up in the acai-berry scam. "Sometime affiliates are willing to cross the line to generate the sale."
While the FTC is making some noise, there are many affiliates that get away with their exploits, Anstis observes. The security research community might be able to help -- Anstis points to the shutdown of the notorious affiliate Spamit last year due to negative pressure from a variety of security outfits and other interested people. He hopes security professionals can keep up the pressure.
"The piece that really nailed it for us was the closure of Spamit last year, in which we saw the volume of spam plummet overnight," Anstis says. "Rustock just went completely dead, and those spam volumes haven't recovered to the volumes they were at before. The closure was the single biggest impact on spam volumes in the last four years."
Have a comment on this story? Please click "Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.