An academic’s investigation into the underpinnings of the fake luxury goods spam that pollutes in-boxes, social networks, and search results sheds new light on the economics of online crime—and implicates some of the largest banks in the world.
Fake luxury goods stand alongside pharmaceuticals as one of the primary drivers of spam. Damon McCoy, an assistant professor of computer science at New York University, is mapping out and attacking the economic system behind it. And he says the trail leads to the doors of China’s three largest banks.
McCoy’s project is a collaboration with Florida attorney Stephen Gaffigan and four of the world’s largest luxury goods brands—which decline to be named. The Bank of China, the Bank of Communications, and Agricultural Bank of China handled 97 percent of 300 fake goods purchases made during McCoy’s project, which has been running for nearly 18 months. All three are owned by the Chinese government.
McCoy initially found that the Korea Exchange Bank handled a significant fraction of the luxury goods purchases. But after his work triggered complaints from the credit-card network Visa, the bank stopped handling the transactions for the perpetrators. Despite being subject to similar complaints—and likely fines—the Chinese banks have not. “The banks in China are not doing anything,” says McCoy. He discussed his findings at the Enigma computer security conference in San Francisco this week.
All three banks have been accused, in lawsuits from luxury brands and by anti-counterfeiting organizations, of being important to the counterfeiting trade before. The Bank of China this month turned over customer records requested by Gucci and other brands in a court case over fakes. But McCoy’s study draws a direct link between online spam and the banks and suggests that the three have a virtual monopoly on receiving payments made for fakes online. None of the Chinese banks named by McCoy responded to a request for comment.
McCoy’s campaign is inspired by a landmark 2011 study he worked on regarding the economics of spam. It found that 95 percent of the income generated by spam passed through just three banks in Azerbaijan, Denmark, and Nevis in the West Indies (see “Anatomy of a Spam Viagra Purchase”).
The effort against the fake goods trade is aimed at identifying similar economic bottlenecks and choking them off. McCoy targets the crucial step that makes spamming worthwhile—when a customer makes a payment with a credit card and the money lands in a bank account controlled by the counterfeiter.
Fake goods are sold using spam in the form of e-mails and social network posts (the iMessage and WhatsApp messaging services have been targeted heavily). Criminals also hack websites to set up virtual storefronts that rank highly in search results.
McCoy has built software that clusters together fake-goods spam coming from the same source and identifies the payments processor it uses. He then exploits Visa’s anti-fraud rules to hit the spam generators where it hurts. If a fake-goods transaction is reported, a card network can levy escalating fines on the bank that received the money.
McCoy says he has evidence he’s hurting the counterfeiters. Visa’s complaints to the big three Chinese banks have caused counterfeiters to lose their bank accounts, even if the banks appear to be allowing them to switch to new ones. And payments processors serving counterfeiters have tried to filter out purchases made through his project using increasingly restrictive rules that appear to prevent many legitimate purchases.
“We’ve definitely hurt them; this is having an effect on their sales,” says McCoy. He and his collaborators are committed to continuing their project. That might choke off spam at the source instead of just hiding it, as more conventional measures such as spam filters do, especially if the big Chinese banks coӧperate more, he says. “The hope is that if you remove the money incentive to send spam e-mails or post spam to social networks, this will prevent spam.”
The damage to the counterfeit industry could be long-lasting. Switching credit-card processors comes with high costs, and there are relatively few to choose from, says Tyler Moore, an assistant professor of cybersecurity and information assurance at the University of Tulsa. And counterfeiters have to centralize for efficiency reasons. “Miscreants often scale up in the same manner that any other tech company would, placing their infrastructure at a single hosting provider or processing payments at one acquiring bank,” he says.