Cyber crime economy – the Spammer side

Not just the people infecting PCs with malware want to earn money – the spammers want their share, too. The most obvious way to earn money for them is of course when people buy the advertised products – fake Viagra, watches, pirated software and so on. But for the spammers there are also affiliate programmes which generate revenue for them.

The affiliate programmes the spammers use work by redirecting traffic to their website; they pay money for visitors redirected to them. It is not the first time that we see this happening as we’ve seen spam for Google Adwords and a “business” model similar to this one, but the whole deal has to be really worth the trouble in order to go and use this method of producing traffic.

The emails the spammers sent this time use social engineering tactics to create psychological pressure and make the recipients click the link.

To be honest, I clicked on that URL (in a VM) concerned that it might drop a Trojan or perform some malicious action. To my surprise, it did not. It opened an intermediate website instead – which is a URL shortener that opened yet another site.

The last website opened was Amazon.de (.de and not .com) and not a random page, but a page advertising an iPhone 3GS sold by Notebook.de.

I don’t know if there is a connection between the spam campaign and the website Notebook.de (which to my knowledge is a clean and respected website).

How this business works gets clear when visiting the URL shortener itself: Register a shortened website and get paid for visitors. But how does the business model work in this case? Well, if you look at the screenshot, you can see a big yellow button with words “SKIP AD”. If you click there, you are redirected to some survey websites which make money with the user’s feedback.

What you can also see is that if you want your website advertised you pay $5 for 10.000 visitors. Let’s make a basic ROI calculation for the owners of the URL shortener: According to the text in the blue rectangle, $4 are paid for 1000 visitors. Thus for $5 the “customer” needs to redirect 1250 visitors. According to the URL Shortener’s advertisement, they get paid $5 for 10.000 visitors but they pay $5 for 1250 visitors. This doesn’t sound very smart for a business as obviously they pay more money than they get.

Is the spammer smarter than the company behind the URL shortener? Assuming the spammer gets $5 for 1250 visits, and only 1 of 100 recipients of the email clicks onto the link in the mail (or the other 99 emails were blocked), he would have to send 125.000 emails in order to get paid $5. Among security experts it is assumed that spammers pay between $0.0001 and $0.001 (0.01 – 0.1 cents) per email sent. Thus the spammer would need to pay between $1.25 and $12.50 to send this amount of emails. So the return of investment is only positive when the cost of sending a spam mail is low (around $0.0001 / email).

I don’t know how the spammers really end up, but since we received this email in our inboxes I assume that the ROI is positive for both, the spammers and for the URL shortener service.

I have a problem with this kind of advertisement-links – there is not much to block! I mean, we can’t block bit.ly, we can’t block the URL shortener which pays the $4 for 1000 visitors, and we definitely can’t block amazon.de. All I could do was to report the bit.ly shortcut from the email to bit.ly and hope it will be blocked soon. Fortunately, the spam email itself is quite easy to block because it is being sent to 395 recipients at once in a mass mailing action. However, Gmail’s spam filter wasn’t able to stop it – but Avira Antispam marked it immediately with spam level “Very High”.

Sorin Mustaca
Data Security Expert