Follow the Money

A rather large collaborative work from the people who brought you Spamalytics was presented this week at the IEEE Symposium on Security and Privacy (known in the field simply as Oakland). The paper represents a new direction in academic research on the spam problem: following the value chain of the products advertised in spam back to the people selling them. This is a refreshing viewpoint in software security and network abuse research: you can fight the problem with technical means, in an ever-escalating arms race of Bayesian filtering, glitchy graphics, fast-flux DNS and bot blacklisting. Or you can recognize that the problem is with the people behind the scams, and see what can be done about their motivation: the money. After all, there wouldn’t be money to pay for all that shiny black-hat kit without people buying cut-rate Viagra in the first place.

A key finding of the paper is that going after heavy hitters in trying to take down spam yields better results for name servers (where the top 10 name server ASs cover about 65% of spam names) than for site hosting (top 10: 45%), and still better for takedown at the registrar level (top 10: 80%). However, with 95% of all credit-card payments for spammed products clearing through just three merchant banks, it appears that the comparative complexity of takedown at this level might be offset by the asymmetric ease of dealing with so few targets. Of course, we then face the spectre of chasing the spammers from bank to bank, but we presume there is a relatively sophisticated monitoring and enforcement apparatus in place for doing this, as well; the US Department of Justice has had some success shutting down offshore gambling in part through following the banking footprint of the gambling operators.

Somewhat unusually for research into Internet misuse, the work has attracted press attention.  The New York Times’ John Markoff, for one, has a decent summary with quotes from the lead author here, resisting in the main the popular science press’ tendency to sell everything as a solution to something. The blogosphere has picked up on it, too. Notably, one of the authors demonstrates the more practical reality of the work in a comment on MetaFilter: “Had you told me when I came to grad school in computer science that I would be buying drugs, carrying burner phones and answering phone calls as names like ‘Sanjoy Sanchez,’ I probably would not have believed you.”

Research, as it turns out, isn’t all submission deadlines and LaTeX trickery.

This entry was posted in General. Bookmark the permalink.

3 Responses to Follow the Money

  1. Pingback: Follow the Money | trammell.ch

  2. Peter McCann says:

    This approach will lead to ever-more-intrusive “Know-Your-Customer” policies on the part of banks hosting the merchant accounts. The modern banking network has been co-opted as a tool of surveillance. And because all the banks want to ultimately interconnect with the system in the United States, the US Treasury department has enormous leverage to propagate its policies through a network effect to the entire global financial system.

  3. Most banks hosting merchant accounts seem pretty diligent to make sure customer satisfaction is high enough to at least keep the chargebacks low; there seems to be a whole subset of this industry serving those who would rather not be known, however (google “high risk merchant account”). As for banking-as-surveillance, that ship has sadly already sailed with RICO investigations, the WoD and GWoT. As long as the dollar remains a major reserve and transaction clearance currency, the rest of the world will have to put up with Treasury’s and Justice’s view on such things. Given that that is the case for the near-term future, why not leverage the giant all-seeing-eye-in-the-bank against Internet abuse?

Leave a Reply

Your email address will not be published. Required fields are marked *