Economies of Scale in the Spam Business
A Better Mousetrap
The researchers captured some of the work orders sent across the botnet's control network and surreptitiously substituted Web links of their own into the spam content. When clicked, the modified links brought up sites that mimicked the spammer's pharmacy site, complete with a shopping-cart checkout, or downloaded and installed a harmless file in place of the bad guys' Storm malware. The computer users in question would otherwise have wasted real money (and possibly exposed their credit card numbers to further fraud), or been infected by real malware--strengthening the researchers' case that their actions were ethical and helped prevent harm, even as they gathered fascinating data.
From March 21 through April 15, 2008, the study tracked 347 million pieces of e-mail hawking pharmaceuticals and 124 million more attempting to infect computers with malware. Only a tiny fraction reached addressees' inboxes, and the researchers found that "the popular Web mail providers all [did] a very good job at filtering the campaigns we observed."
Chump Change
Of the people who did receive the spam, 28 attempted to buy items from the researchers' fake site (all but one of them went for "male-enhancement products"). The average take of US$100 or so pulled in from those visitors might sound like a pittance, but the study's authors estimate that if the Storm botnet sent the pharmaceutical spam at the same rate throughout the year and enjoyed the same success rate, the annual revenue would add up to a tidy $3.5 million dollars. Even with operating costs such as hosting Web sites and botnet command servers (a cost the authors couldn't be sure of) subtracted, the potential profit is large.