Application security, Malware, Phishing

Study: Spammer profits could dwindle

Third-party spam distributors are not large or efficient enough to produce competitive pricing, meaning that profitable spam campaigns require large organizations that can assemble comprehensive teams.

That finding comes from researchers led by Stefan Savage, an associate professor at the University of California, San Diego. The findings were embodied in a paper presented recently at the ACM Conference on Computer and Communications Security in Arlington, Va.

“Put another way, the profit margin for spam may be meager enough that spammers must be sensitive to the details of how their campaigns are run and [that they] are economically susceptible to new defenses," the paper concludes.

To some extent, that could mean that anti-spam efforts are having effect, according to the paper.

"I'd say that it might mean [efforts are paying off], but it's probably early to make a concrete determination,"
Savage told SCMagazineUS.com.

In their study, the researchers set up a number of ways to measure the response to spam campaigns, including setting up dummy sites where would-be victims were routed. No actual purchases were made -- the “traps” returned a site error message when these customers tried to pay for any goods. The researchers wanted to make it clear that they did not send the spam, just measured its impact.

"We neither sent spam, caused new spam to be sent, nor increased the amount or kind of spam that was already being sent," Savage said. "Our sole impact was to confuse the botnet into replacing the URL it meant to append to some of the spam it was already sending with a URL of our choosing."

After 26 days, and almost 350 million e-mail messages, only 28 sales resulted — a conversion rate of under 0.00001 percent. Of these, all but one were for male-enhancement products, and the average purchase price was close to $100.

 

According to the research, “Taken together, these conversions would have resulted in revenues of $2,731.88 —a bit over $100 a day for the measurement period or $140 per day for periods when the campaign was active.”

Of course, the study used only a small fraction of the overall campaign network. Thus, the total daily revenue attributable to one of the ploys was probably closer to $9,500 during periods of its activity. But, the researchers saidthe botnet's self-propagation campaigns can produce between 3,500 and 8,500 new bots per day, which can be considered an asset to herders. 

"In the paper we're very explicit that this is just one measurement of a few campaigns and may not generalize, and further, that any extrapolations should be taken with a grain of salt," Savage said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.