Bradley Anstis, VP technical strategy, M86 Security
Bradley Anstis, VP technical strategy, M86 Security

We have recently seen the progress that security vendors and law enforcement have made in the fight against spammers and cybercrime, including actions to take down botnets and arrest criminal gangs.

All this has been progress, but one can't help but think that we are targeting the foot soldiers, whereas it might be more effective to go after a common denominator.

Affiliate programs are the financial middle men between vendors looking to push their products and marketing companies looking to advertise and promote these offerings.

Legitimate affiliate programs do exist, such as those offered by companies like Amazon.

And then there are illegitimate affiliate programs offered by companies such as SpamIt.

A perfect example of an affiliate program is how botnet operators typically get paid for the spam they send. First, there is the merchant who wants to sell their products, for example a company like Canadian Pharmacy, and then there is the publisher or spammer. The network connecting these two parties is the affiliate program, such as SpamIt, and finally there are the customers, or, in this case, the spam victims.

When Canadian Pharmacy wants to sell its products, it contacts the affiliate program and provides members with email templates of what they would like to see marketed. SpamIt passes these templates, which often include the lists of email addresses to be spammed, to junk mailers who are members of their affiliate program. Each spammer is allocated a unique referral code to insert into the URL link of their spam message.

When a spam victim or customer clicks on a URL link in the unsolicited message and purchases a product from the merchant, Canadian Pharmacy knows which spammer to credit the sale to. The merchants typically pay a percentage of the sale to the affiliate program, which is passed onto the spammer, with the affiliate program taking a cut from this payment.

Another example of illegitimate affiliate programs is pay-per-install programs, commonly seen pushing fake anti-virus. In this scenario, a scammer is paid by the number of successful installations of software.

Ya!Bucks is a good example of this, offering anywhere from $50 per 1,000 unique installs in countries like Australia to $170 for 1,000 unique installs in the United States.

Stemming the tide

Any action in the fight against cybercrime is worthwhile but is there a more efficient way? What we suggest is to go after the money trail – these affiliate programs.

A great example here is to look at the drop in spam volume when SpamIt unexpectedly closed down. Spam volume dropped overnight and, to date, this has been the single biggest and longest last effect on the amount of junk mail.

The toughest piece of the puzzle is determining the difference between credible and illegitimate affiliate programs. Some are clearly not to be trusted, others are clearly credible. 

But then you have programs like PageRage, which seemingly is perfectly legitimate, but it can be tainted by the actions of a rouge member, such as the case that M86 Security Labs discovered in May 2011.

When researching an affiliate program, consider these areas:

  • Products and services offered
  • Method of payments to members. SpamIt used WebMoney, a virtual currency popular in Russia and which is similar to PayPal. Another popular one for illegitimate programs is ePassporte, a virtual currency that closed down in September 2010 amid allegations of fraud and misappropriation of funds.
  • Company background. How long have they been in business? What is their reputation? Where are they located, and so on?

Lessons can be learned from the SpamIt closure, where embarrassment may have played a big role. M86 Security, among other security bloggers and press, were naming and shaming the company on a regular basis. Perhaps the constant attention became too much?

The same method can be applied to business partners that an affiliate program uses, e.g. banks and other financial organizations, its advertising networks, the merchants that are its customers. If these organizations are legitimate, then turning up the heat on the affiliate program that they use will undoubtedly make them reconsider their arrangement.

Finally, we should not forget about the actions that security researchers and law enforcement agencies can take. We have to do our part by remaining vigilant, gathering the facts and statistics, and passing them onto the proper parties or authorities that might be able to do something about it.