Skip to Content
Uncategorized

Anatomy of a Spam Viagra Purchase

A sample of spam transactions finds most pass through just three banks, study finds.

What happens if you buy something advertised via spam? This graphic shows the flow of Internet traffic and money following a purchase of Viagra from a spam email.

Courtesy of Stefan Savage

It’s included in this fascinating new study showing that although billions of pieces of spam are out there—many peddling counterfeit pharmaceuticals, luxury goods and software—95 percent of the payments for a representative sample of spam transactions went through just three banks: one in Azerbaijan, another in Denmark, and a third in Nevis, West Indies.

The spam email depicted in the graphic was sent last October, when a collection of compromised computers called a botnet—in this case a botnet called “Grum,” delivered a familiar spam pitch for Viagra. The Internet connections involved websites in Russia, China and Brazil. When the researchers made the purchase using a Visa card, the payment was accepted by the Azerigazbank Joint Stock Investment Bank, a merchant bank in Baku. The counterfeit goods were then sent from Chennai, India. The person who used the Grum botnet for this particular spam campaign–shown as “affiliate program” in the graphic and only known to the researchers as “Mailien”–got a cut of the action, likely 40 percent.

The researchers made more than 120 purchases from a sample of spam, spending a few thousand dollars. While spam itself uses myriad technical tricks within the Internet infrastructure to reach victims, the research found that a potential weak link in the business model of spam is the banks. “Credit card transactions are the choke-point,” one study author, Stefan Savage, a computer scientist at the University of California, San Diego–one of four institutions that participated in the study–told me Friday. “It is technically feasible. The question mark is this: is it an important enough problem to get the political muscle behind it?”

It’s a tricky question because the transactions don’t necessarily involve fraud, in that the customers get the products they were paying for (albeit counterfeit versions). If they aren’t complaining, there’s not immediately a reason for banks to intervene. But it’s conceivable that the owners of the intellectual property being abused in the process–including pharmaceutical companies–would weigh in and seek some kind of action. This kind of research, at least, provides important new insights into spam’s “value chain,” which can only help direct responses to stanch the scourge of spam, which comprises nearly 90 percent of all email.

Keep Reading

Most Popular

images created by Google Imagen
images created by Google Imagen

The dark secret behind those cute AI-generated animal images

Google Brain has revealed its own image-making AI, called Imagen. But don't expect to see anything that isn't wholesome.

biomass with Charm mobile unit in background
biomass with Charm mobile unit in background

Inside Charm Industrial’s big bet on corn stalks for carbon removal

The startup used plant matter and bio-oil to sequester thousands of tons of carbon. The question now is how reliable, scalable, and economical this approach will prove.

AGI is just chatter for now concept
AGI is just chatter for now concept

The hype around DeepMind’s new AI model misses what’s actually cool about it

Some worry that the chatter about these tools is doing the whole field a disservice.

Peter Reinhardt
Peter Reinhardt

How Charm Industrial hopes to use crops to cut steel emissions

The startup believes its bio-oil, once converted into syngas, could help clean up the dirtiest industrial sector.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.