Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo

 

Unsupported browser: Your browser does not meet modern web standards. See how it scores »

What happens if you buy something advertised via spam? This graphic shows the flow of Internet traffic and money following a purchase of Viagra from a spam email.

Courtesy of Stefan Savage

It’s included in this fascinating new study showing that although billions of pieces of spam are out there—many peddling counterfeit pharmaceuticals, luxury goods and software—95 percent of the payments for a representative sample of spam transactions went through just three banks: one in Azerbaijan, another in Denmark, and a third in Nevis, West Indies.

The spam email depicted in the graphic was sent last October, when a collection of compromised computers called a botnet—in this case a botnet called “Grum,” delivered a familiar spam pitch for Viagra. The Internet connections involved websites in Russia, China and Brazil. When the researchers made the purchase using a Visa card, the payment was accepted by the Azerigazbank Joint Stock Investment Bank, a merchant bank in Baku. The counterfeit goods were then sent from Chennai, India. The person who used the Grum botnet for this particular spam campaign–shown as “affiliate program” in the graphic and only known to the researchers as “Mailien”–got a cut of the action, likely 40 percent.

The researchers made more than 120 purchases from a sample of spam, spending a few thousand dollars. While spam itself uses myriad technical tricks within the Internet infrastructure to reach victims, the research found that a potential weak link in the business model of spam is the banks. “Credit card transactions are the choke-point,” one study author, Stefan Savage, a computer scientist at the University of California, San Diego–one of four institutions that participated in the study–told me Friday. “It is technically feasible. The question mark is this: is it an important enough problem to get the political muscle behind it?”

It’s a tricky question because the transactions don’t necessarily involve fraud, in that the customers get the products they were paying for (albeit counterfeit versions). If they aren’t complaining, there’s not immediately a reason for banks to intervene. But it’s conceivable that the owners of the intellectual property being abused in the process–including pharmaceutical companies–would weigh in and seek some kind of action. This kind of research, at least, provides important new insights into spam’s “value chain,” which can only help direct responses to stanch the scourge of spam, which comprises nearly 90 percent of all email.

1 comment. Share your thoughts »

Tagged: Web, security, spam

Reprints and Permissions | Send feedback to the editor

From the Archives

Close

Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me