|
||
|
||
Last week, I read Ed Falk’s blog post where he commented on a possible solution to the spam problem. He himself was commenting on a study done by researchers out of the University of California where they discovered that credit card transactions for stuff bought in spamvertisements are handled by three companies: one in Azerbaijan, one in Denmark and one in the West Indies. Presumably, if security experts and law enforcement went after these companies, spammers would have their financial supply cut off. No money = no incentive to spam.
Most anti-spam experts believe that cutting off the financial chain is akin to disabling botnets. After an initial disruption, spammers simply would move onto another credit card processing company similar to the way they rebuild their botnets.
It’s not quite that simple for the spammers. For a spammer to rebuild their botnet, they have to send around new malware and compromise many tens of thousands of users. The pool of available candidates is huge, in the millions. In order to process their financial transactions, there’s a lot less people doing it. How many companies in the world provide that service?
In malware and spam, the resources that spammers use are unknowing victims. I’m going to give these credit card companies the benefit of the doubt and that they don’t know that their services are being used as a pivot point in online fraud. The owners of the servers in the United States didn’t know that they were hosting C&C servers for the Rustock botnet, and most of the higher ups in Abbottabad didn’t know that bin Laden was in their backyard (I’m still using bin Laden to drive traffic to my site; still not working). But as soon as they were informed, they suddenly became a lot more vigilant (like everyone else).
Getting the money out of their scamware is one of the major bottlenecks for spammers. They can’t just transfer huge sums of money overseas because law enforcement agencies are looking for that sort of thing. They would be detected. Reducing the number of eligible bottlenecks for spammers makes it less cost effective to conduct spam. So while they could always go somewhere else, the fact is that they have to get the money out somehow and if they can’t get the money out and it’s a pain to go elsewhere, maybe that could have an effect on the spam problem.
It’s entirely possible that the companies that are processing spam payments are not complicit, just inept. They don’t know that they are assisting all this online fraud and have limited budgets with a paper thin IT staff that knows little about security. If law enforcement came knocking on their door, they’d either straighten up and fly right quickly or else risk being shut down. Getting shut down is bad for business.
Thus, while my compatriots are pessimistic that this latest piece of research is meaningful, I have a different view. I think that if the financial chokepoints of spammers were cut off, they’d… hmm… would they really go away?
Now I’m not sure.
Sponsored byVerisign
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byWhoisXML API
A World-Renowned Source for Internet Developments. Serving Since 2002.
As I already wrote in a few places last week, this example of banks is one in the many what ifs that passed by where spam and botnet mitigation are concerned. Yes, in an ideal world this would work. Unfortunately it seems like the incentives are wrong and many a company makes spin off money from (cyber) crime. Also after they have been warned. For some it is even a business case.
So the question is: what does a company do after it has been warned on being a participant in a crime? What would help is that enforcers actually enforce this way and make use of the fact that even unconscious assistance to spammers can become conscious assistance after a warning has been heeded. Unfortunately it appears that there are not a lot of enforcement agencies that take this step against financial institutions, hosting providers, ISPs, domain name registration organisations, the text message platform holder, etc., in a structured manner. If this would happen and warnings were followed up, spammers do get in trouble as the opening they have for receiving payment become smaller and smaller. In that case their interest will wane for spam and they move to other opportunities. And they do. In my enforcement days I had first hand experience with fraudulent text messages. Close the window of opportunity fast enough and they leave the market, even if they don’t get fined or arrested.
Money is the soft underbelly of the spammer/cyber criminal. It doesn’t matter where the payments are made impossible, through disabling the service or the payments itself. Just as long as it happens. And LEAs, in the terms and contracts of companies there usually are a lot of interesting clauses that can be invoked against spammers also. Make use of it! I did, often, and with success.
I know, this is attacking the side effects and not the actual perpetrator, but if these people are in countries where they are sort of untouchable, this is the next best thing. This method should however, in my opinion, never get in the place of real fines or arrests.
So, can we expect companies to check on every customer? No. Can we expect them to act after a warning? Yes, society ought to be able to depend on this. Should an enforcement agency use this method consequently and as rapid as possible? Definitely.
Wout de Natris, De Natris Consult
Though - I operated from the assumption that they're already marginalized to choosing merchant accounts from these three banks. I have seen media reports as well as artefacts from previous studies that involved buying from spammers, where pill / fake rolex etc gangs suddenly stop accepting either visa or mastercard because of one crackdown or the other. Even now if you google you get pill sites that say, for example, that "they accept only [xyz] cards". One thing though - there's another layer we've all been missing besides the banks. You might also look at the payment processor that handles these payments. A third party online payments processor of any sort would certainly use a comparatively smaller number of banks for their backend transactions. For example - http://krebsonsecurity.com/tag/chronopay/ has some interesting content. I wonder if Krebs and Prof Savage have noticed the same thing, or if this is a pattern shift. There have been several such in the past - eg: because of this - http://krebsonsecurity.com/2010/09/visa-blocks-epassporte/
Just goes to say 'target in a never ending war' http://www.circleid.com/posts/university_of_california_next_hard_target_in_never_ending_war/ Over the past few years (I think since at least 2003), there have been lots of pew / forrester / gartner etc studies, as well as investigations by companies like pfizer / microsoft / rolex whose products are sold online, over the past several years. Most of these have involved buying these products online, either for research or as part of a sting. Do we have any data available from those studies - if only incidental - that shows the changing patterns in payment processing used by spammers selling these fake pills, watches etc?