What happens if you buy something advertised via spam? This graphic shows the flow of Internet traffic and money following a purchase of Viagra from a spam email.

Courtesy of Stefan Savage

It's included in this fascinating new study showing that although billions of pieces of spam are out there—many peddling counterfeit pharmaceuticals, luxury goods and software—95 percent of the payments for a representative sample of spam transactions went through just three banks: one in Azerbaijan, another in Denmark, and a third in Nevis, West Indies.

The spam email depicted in the graphic was sent last October, when a collection of compromised computers called a botnet—in this case a botnet called "Grum," delivered a familiar spam pitch for Viagra. The Internet connections involved websites in Russia, China and Brazil. When the researchers made the purchase using a Visa card, the payment was accepted by the Azerigazbank Joint Stock Investment Bank, a merchant bank in Baku. The counterfeit goods were then sent from Chennai, India. The person who used the Grum botnet for this particular spam campaign--shown as "affiliate program" in the graphic and only known to the researchers as "Mailien"--got a cut of the action, likely 40 percent.

The researchers made more than 120 purchases from a sample of spam, spending a few thousand dollars. While spam itself uses myriad technical tricks within the Internet infrastructure to reach victims, the research found that a potential weak link in the business model of spam is the banks. "Credit card transactions are the choke-point," one study author, Stefan Savage, a computer scientist at the University of California, San Diego--one of four institutions that participated in the study--told me Friday. "It is technically feasible. The question mark is this: is it an important enough problem to get the political muscle behind it?"

It's a tricky question because the transactions don't necessarily involve fraud, in that the customers get the products they were paying for (albeit counterfeit versions). If they aren't complaining, there's not immediately a reason for banks to intervene. But it's conceivable that the owners of the intellectual property being abused in the process--including pharmaceutical companies--would weigh in and seek some kind of action. This kind of research, at least, provides important new insights into spam's "value chain," which can only help direct responses to stanch the scourge of spam, which comprises nearly 90 percent of all email.

Running a (Windows-based) computer without antivirus is asking for trouble, and an e-mail system without a spam filter is unusable. How long before it's impractical to use Facebook without a dedicated app to protect you from spammers and scammers? It's a question raised in my mind by the debut of what appears to be the first security app for Facebook. You install BitDefender's safego, which is currently in beta, just as you would a game like FarmVille or any other of the many apps out there. Rather than letting you throw sheep at your friends, though, it scans your wall, inbox and any comments on your profile for malicious links that might lead to sites that try to install malware or hijack your account details. It also checks your privacy settings and offers reminders and tips on how much you are sharing and how to change those settings.

The privacy meter above is just one of the app's features, grabbed from my brief trial of the app before writing this post. See the app for yourself here and for an example of what it looks like when an attack is spotted see this screengrab. I must be lucky enough to have trustworthy friends because no bad links were detected when I tried it; but nor did I receive any warnings on privacy when I briefly made all my information fully public.

All this is made possible by the APIs that Facebook that lets developers build on top of the platform. But Facebook doesn't yet allow everything that such software really needs. An app can't, for example, automatically flag up suspicious links for you when you're browsing another person's wall. The only thing it could do is post a comment on a suspicious link, a feature BitDefender plans to add. "That's not ideal," Catilin Cosoi, head of BitDefender's threats lab, told me last week as work continued to finish the app, "but that does mean that other users who don't have the app can see the warning too."

Whether apps like safego are necessary yet is debatable. There is evidence that those spreading spam through Facebook are becoming more organized but it is not an everyday occurrence. It's clear, though, that the number of attacks will only increase, and the fact that other popular platforms like email have proven hard to defend doesn't bode well.

I doubt Facebook will welcome apps like safego though. Its very existence detracts from the feeling of safety the site elicits with its real-life friendship-centric feel. Why would you need such an app if Facebook were safe? It could lead some users to think Facebook isn't up to the task of protecting its users.

Searching for a hot news topic or buzzword can already lead an unsuspecting person to harmful malware. Recent articles are full of warnings about malware hidden in links that are supposedly about the World Cup or the Icelandic Volcano. Estimates have suggested that about 14 percent of traditional searches for trending news go to sites hosting malware.

As real-time search becomes more important, the problem of malware-related results could become much worse, according to a talk given yesterday by Dan Hubbard, CTO of Websense, at the Cloud Security Alliance Summit, which took place at the Black Hat security conference in Las Vegas. The event brought together speakers from government, industry, academia, and the underground. Hubbard outlined several ways that real-time search results are easy to poison.

Much of the problem stems from the nature of information provided in real time, Hubbard says. It's noisy, spammy, and not authoritative. So search engines have a difficult task ahead determining what links can be trusted.

The results are also easy to manipulate. Hubbard experimented with searches related to the recent Boston marathon. He found that he could get posts to the top of real-time search engine results by posting in anticipation of events. For example, he posted information about who had won before there was a winner, garnering a top spot on real-time results pages. He found that he could trick even Google by introducing typos that other users might be likely to make (such as "Botson" marathon). And, by posting images along with text, Hubbard found that he was able to rocket his posts to the top of results pages.

Hubbard says spammers could use social graphs to manipulate real-time search results as well. A botnet, for example, could create large numbers of interconnected Twitter accounts, creating a source of information that could seem authoritative. Hubbard also pointed to recent reports of spammers taking over the Twitter accounts of well-known users.

There may be big opportunities for spammers as location gets factored into the ranking of real-time results. Current location services trust where users say they are, he says. Location is also relatively easy to spoof. Spammers could add their links to real-time search ranks by seeming, for example, to tweet about the Icelandic volcano from Iceland, or about the Boston marathon from the finish line.

Hubbard plans to continue his investigation by looking at how spammers might be able to influence Facebook streams and search, and what they might be able to do with the popular location-based social network Foursquare.