It’s no secret that spam/botnets are big business. There are a multitude of variations on a familiar theme, but after they trick unwitting users, what happens to the money? University of California wondered the same thing. In their recent report, “Click Trajectories: End-to-End Analysis of the Spam Value Chain” they analyze where the money goes, with a goal of stopping it at some major pinch point.
It seems the lowest hanging fruit is the few number of venues where operators can “cash out” after a spree of cyber-nastiness. The study found only a handful of banks are typically used by the whole sector. They found, in fact, that 95% of the operations use just 3 banking institutions. This is a much smaller link to disrupt than anywhere else in the chain; stop these, and the whole rest of the chain becomes precarious. Stopping botnets and other cyber-nonsense is an ongoing “Whack-a-mole” exercise, where as soon as one problem gets solved, another 10 pop up, but solve the money flow issue at the bank and they die of attrition, or so the theory goes.
They argue there are 3 distinct stages in the money flow chain: 1) advertising, 2) click support, 3) realization. The advertising phase has received the most study due to the more numeric customer facing incidents it creates; flooding e-mail inboxes and the like. But it’s only one link in the chain. Increasingly, botnet operators rent out their botnet to the highest bidder, so they’re really only a provider for the larger operation.
Additionally, while many other aspects of the operation are fluid, it is more difficult and time consuming for the spam operator to change banking institutions, since “the replacement cost for new banks is high, both in setup fees and more importantly in time and overhead. Acquiring a legitimate merchant account directly with a bank requires coordination with the bank, with the card association, with a payment processor and typically involves a great deal of due diligence and delay (several days or weeks).”
Banks who don’t ask many questions of online transactions seem to be highly concentration in very specific regions. The bulk are located in only four: St. Kitts, Azerbaijan, Latvia and Russia. Though there are others elsewhere, these process the bulk of the transactions studied. Seemingly, if these were targeted successfully, much of the spam ecosystem would be forced to regroup into other regions, which would take time and effort, causing profits to dip in the interim, having an effect on the profitability of the botnet operators.
While it seems like an obvious step, cracking down on financial institutions in far flung regions may not be the simplest endeavor. Still, it’s an interesting potential choke point, and one that could be an effective tool in the battle, if executed successfully.
Author Cameron Camp, ESET