Anatomy of a Spam Viagra Purchase

A sample of spam transactions finds most pass through just three banks, study finds.

David Talbotarchive page

May 20, 2011

What happens if you buy something advertised via spam? This graphic shows the flow of Internet traffic and money following a purchase of Viagra from a spam email.

It’s included in this fascinating new study showing that although billions of pieces of spam are out there—many peddling counterfeit pharmaceuticals, luxury goods and software—95 percent of the payments for a representative sample of spam transactions went through just three banks: one in Azerbaijan, another in Denmark, and a third in Nevis, West Indies.

The spam email depicted in the graphic was sent last October, when a collection of compromised computers called a botnet—in this case a botnet called “Grum,” delivered a familiar spam pitch for Viagra. The Internet connections involved websites in Russia, China and Brazil. When the researchers made the purchase using a Visa card, the payment was accepted by the Azerigazbank Joint Stock Investment Bank, a merchant bank in Baku. The counterfeit goods were then sent from Chennai, India. The person who used the Grum botnet for this particular spam campaign–shown as “affiliate program” in the graphic and only known to the researchers as “Mailien”–got a cut of the action, likely 40 percent.

The researchers made more than 120 purchases from a sample of spam, spending a few thousand dollars. While spam itself uses myriad technical tricks within the Internet infrastructure to reach victims, the research found that a potential weak link in the business model of spam is the banks. “Credit card transactions are the choke-point,” one study author, Stefan Savage, a computer scientist at the University of California, San Diego–one of four institutions that participated in the study–told me Friday. “It is technically feasible. The question mark is this: is it an important enough problem to get the political muscle behind it?”

It’s a tricky question because the transactions don’t necessarily involve fraud, in that the customers get the products they were paying for (albeit counterfeit versions). If they aren’t complaining, there’s not immediately a reason for banks to intervene. But it’s conceivable that the owners of the intellectual property being abused in the process–including pharmaceutical companies–would weigh in and seek some kind of action. This kind of research, at least, provides important new insights into spam’s “value chain,” which can only help direct responses to stanch the scourge of spam, which comprises nearly 90 percent of all email.