What happens if you buy something advertised via spam? This graphic shows the flow of Internet traffic and money following a purchase of Viagra from a spam email.

Courtesy of Stefan Savage

It's included in this fascinating new study showing that although billions of pieces of spam are out there—many peddling counterfeit pharmaceuticals, luxury goods and software—95 percent of the payments for a representative sample of spam transactions went through just three banks: one in Azerbaijan, another in Denmark, and a third in Nevis, West Indies.

The spam email depicted in the graphic was sent last October, when a collection of compromised computers called a botnet—in this case a botnet called "Grum," delivered a familiar spam pitch for Viagra. The Internet connections involved websites in Russia, China and Brazil. When the researchers made the purchase using a Visa card, the payment was accepted by the Azerigazbank Joint Stock Investment Bank, a merchant bank in Baku. The counterfeit goods were then sent from Chennai, India. The person who used the Grum botnet for this particular spam campaign--shown as "affiliate program" in the graphic and only known to the researchers as "Mailien"--got a cut of the action, likely 40 percent.

The researchers made more than 120 purchases from a sample of spam, spending a few thousand dollars. While spam itself uses myriad technical tricks within the Internet infrastructure to reach victims, the research found that a potential weak link in the business model of spam is the banks. "Credit card transactions are the choke-point," one study author, Stefan Savage, a computer scientist at the University of California, San Diego--one of four institutions that participated in the study--told me Friday. "It is technically feasible. The question mark is this: is it an important enough problem to get the political muscle behind it?"

It's a tricky question because the transactions don't necessarily involve fraud, in that the customers get the products they were paying for (albeit counterfeit versions). If they aren't complaining, there's not immediately a reason for banks to intervene. But it's conceivable that the owners of the intellectual property being abused in the process--including pharmaceutical companies--would weigh in and seek some kind of action. This kind of research, at least, provides important new insights into spam's "value chain," which can only help direct responses to stanch the scourge of spam, which comprises nearly 90 percent of all email.

Facebook is often criticized over privacy. Just think of the launch of Beacon.

But listening to CTO Bret Taylor defend the company's privacy practices yesterday at a hearing before the U.S. Senate Committee on Commerce, Science, and Transportation, it's hard to fault the company's technology. Facebook is in many ways at the cutting edge of Internet security and privacy--and it has to be considering the large quantity of personal information that it stores.

Facebook's privacy woes have not been caused by technical bungling. It's hard to imagine, for example, the company suffering the sort of ongoing technical humiliation that Sony has recently experienced. Facebook's record so far has been much better than that. Rather, it's Facebook's tendency to suddenly change the rules that have landed it in hot water.

Taylor's discussion of how Facebook handles user privacy was thoughtful and impressive. "People will stop using Facebook if they lose trust in their services," he said, a line we also heard from Google in last week's hearing. He went on to outline the ways that Facebook allows users to control what happens to their data, in particular the fine-grained privacy controls that allow users to select who can see their posts. Users can set different policies for photos, status updates, and other kinds of content, and can even set special privacy policies for specific posts.

"We cannot satisfy people's privacy expectations by creating a one size fits all approach," Taylor argued.

Taylor highlighted that the company has worked with partners on new authentication technologies that allow users to share information with third parties safely, and noted, "We are one of the few Internet companies to extend our privacy controls to our mobile interfaces."

He added that the company also offers different default settings for minors, and is currently testing a new, more transparent privacy policy for all users.

What Taylor didn't talk about is Facebook's habit of changing its default privacy settings without giving users much notice. The last time this happened, for example, users logged into Facebook and were confronted with a long description of changes to how their would be shared. Few have the patience to sit down, understand the changes, and fix them.

This is where the company keeps going wrong. And no matter how sophisticated or thoughtful its privacy and security technology, Facebook can't fix its problems until it gets the human factor right.

Google's browser Chrome may have just suffered its most serious security setback yet. Security firm VUPEN today announced that its researchers had found a way to have a webpage run any code or program it wants on a Chrome user's Windows computer.

A video shows how visiting the attacking webpage enables it to download and then execute a calculator program--a standard method of demonstrating how an attack works. If the vulnerability were exploited in the wild it could be used to install programs that steal passwords, or make a computer part of a network of infected computers used to attack websites.

VUPEN hasn't made the exact details of the hack public, saying only that it required "one of the most sophisticated codes we have seen" and that it will relay the details to government agencies on its customer list. According to the company's statement:

"This code and the technical details of the underlying vulnerabilities will not be publicly disclosed. They are shared exclusively with our Government customers as part of our vulnerability research services."

VUPEN provides law enforcement and intelligence agencies with what it dubs "weaponized" exploits for surveillance or other covert operations. The company has made no mention of whether Google was warned of today's announcement, or how it will be helped to fix the exploit.

Google has promoted Chrome since its launch as offering superior security to other browsers. Chrome has never been defeated at the annual Pwn2Own contest that challenges the world's best hackers to compromise popular software. At this year's event in March, Firefox and Chrome were the only two popular browsers not defeated.

VUPEN's attack is the first to beat a feature of Chrome called "sandboxing" that carefully isolates web code in different tabs from each other, and the rest of a person's computer. The new attack is able to somehow bust out of the sandbox to download and execute any code it wishes. Another of Chrome's security features will help it minimize the risk to users, though. Unlike most software, the browser silently upgrades itself to the most recent version without a person's permission whenever possible. That habit will enable the fix to Google's new security hole to spread fast, once it has been worked out.