At their bogus site, they could see how many consumers visited and ultimately ordered products. “We replicated this to the point of checkout, and then an error message would appear,” Savage says. “As it turns out, their business model was no different than an online catalog.”
The scientists found that the spammers had to send 12 million emails to get one person to buy. And yet it was worth it. “There is a cost to send these things out, but it is low,” Savage says. “What was daunting was that the return was so small, and yet it was still profitable.”
Their work, published in 2008 in the ACM Conference on Computer and Communications Security, is the first of several studies trying to examine the botnet economic pipeline and all its nuances in order to figure out the best place to disrupt the process.
“You can come up with very, very precise filters that will allow you to block spam before you get it, but that still has you playing ‘whack-a-mole,’ always responding to the latest particular threat,” Savage says. “Our current focus is on trying to understand the right place to intervene. Blocking spam, in fact, appears likely to be cost-ineffective. Spammers can still make lots of money even though very few of their messages get through.”
Another study, published last year in the USENIX Security Symposium, explored how spammers deal with “CAPTCHAs,” those distorted word texts that people must reproduce in order to gain entry to a particular site. CAPTCHAs are designed to separate humans from automation that uses computer algorithms.
“The solution has been to outsource the CAPTCHA solving in real time to third world labor,” Savage says. “We found all these underground sites that sell CAPTCHA-solving as a service. The spammers farm it out to third world laborers who will work for a few dollars a day typing in the answers. Most are operating out of China. There are all kinds of security interventions where we make an assumption about how hard things are for a computer, but, if it is simple, you can outsource it. You can apply massive amounts of human labor to the problem, and it can be cost effective.”
In the end, the most effective attack against massive spamming ultimately may come down to hitting them where it will hurt the most: in the profit margin. “We are interested in the economic factors,” Savage says. “The spammers all play on each others’ resources and capabilities. It’s a fairly evolved economic system. Much of our work is trying to uncover where the economic bottlenecks are and where they are not.”