Home / Blogs

University of California Identifies the Next Hard Target in a Never Ending War

This is, of course, about the recent NYT article that showcases the results of Prof Stefan Savage and his colleagues from UCSD/Berkeley.

As my good friend and longtime volunteer at CAUCE, Ed Falk, points out, this is a great find, but hardly a FUSSP.

The nice thing about the fight against bots and spammers is these little victories people on “our” side keep having in an endless series of skirmishes and battles. Sometimes, a significant victory such as the takedown of a vital enemy strategic asset. [yes, I’m overdoing the cyberwar analogy here, thank you]

It is a familiar pattern.

Some significant victories involve takedowns of hard targets. Take down an estdomains here, an intercage there and watch the spam volumes take a significant, but temporary nosedive while the bad guys scramble to regroup and find new resources.

Other longer term but equally significant victories involve convincing people on our side to follow best practices and take proactive action against abuse issues. For example, there was a concerted effort by several people across stakeholder communities in 2007 to convince and assist HKDNR to stop the then rampant abuse of the .hk ccTLD by spammers. I wrote about this on CircleID back in 2008, after an AV vendor’s report flagged .hk as the most unsafe domain, entirely based on data about this abuse, months after outstanding abuse issues had been resolved and proactive abuse prevention measures put in place by the .hk operator HKDNR.

Coming back to Prof. Savage’s findings, after putting them into a bit of context with that history lesson.

Taking down a whole bank is not as easy as shutting down a shell company registrar of course, but is definitely possible by the country’s banking regulator. A cleanup at least does sound possible—because cancelling a bank’s license may, or may not, depending on the bank, result in significant collateral damage caused to the rest of the bank’s customers who might be joe average citizens who are not money launderers, phishers, sellers of illegal drugs etc.

There have been, of course, shell company banks, but even in legitimate banks, this does look like a fit case to arrest the right bank manager + staff, and freeze the right accounts for investigation.

This of course involves action from the banking regulator and law enforcement who have jurisdiction in the countries where the banks are located. However, financial fraud and money laundering is an area that has far more international cooperation and rigidly enforced conventions than cybercrime does, so the potential for action certainly exists. Remains to be seen what’s done in the case of these three banks.

For example, the Financial Action Task Force (FATF) has Denmark as a member, and the Caribbean Financial Action Task Force as an associate member.

So, assuming some or all these hard targets from Prof. Savage’s research do get taken down, or at least cleaned up to make them inhospitable to the online pill operations, what are the ways they can regroup and fall back to alternate positions?

Shutting down merchant accounts, freezing bank accounts and arresting a few complicit bankers here and there would bring about a fast enough movement to alternative payment mechanisms, and/or to jurisdictions where, for example —

  • The level of engagement with local regulators and law enforcement is comparatively less
  • Or corruption levels are high enough to ensure safe harbor.
  • Or there are enough gray areas in local law to ensure a reasonable amount of immunity from takedown

In any case, a lot of the underground economy players seem to prefer online virtual currency from various sites, several of which are based for legal immunity and banking secrecy reasons in the usual jurisdictions.

There are also some (not so) surprising alternatives to online virtual currencies such as World of Warcraft gold, that are easily convertible to cash (ask any hardcore but lazy gamer what the going rate for gold is). If they’re a target for phishers, the chances are high that they are also being used as a virtual currency by scam artists.

The new kid on the block is bitcoin, a p2p virtual currency, through which you can buy a surprising lot of stuff, from the services of a law firm specializing in internet law (great), to sites providing “high anonymity vpn”. Just how the idea of a p2p virtual currency that’s generated by lending your CPU—or GPU—cycles to generate cash, and that has strong encryption built in, combines with the idea of botnets taking over PCs that are part of bitcoin’s P2P network, is an interesting train of thought.

As a final fallback, there are, of course, the ever present money laundering channels that bypass conventional international payment systems—such as one that is known internationally by its indian subcontinent name of Hawala. Cumbersome and slow, but extremely anonymous, and ubiquitous, with a near global coverage thanks to an informal network of money launderers.

All that said and done, I do wish the various stakeholders in this game all the best in cleaning up the rat’s nest that Prof. Savage’s excellent paper has just shined a bright light on, thanks a lot to the NYT.

By Suresh Ramasubramanian, Antispam Operations

Filed Under


Thanks for the article! To be Stefan Savage  –  May 23, 2011 4:15 AM

Thanks for the article! To be clear—we’re mainly interested in understanding the ROI for any particular intervention; we’d be the the last to make “silver bullet” claims.

That said, I think there is some misunderstanding about where the weakness is here and what is being proposed. Shutting down banks or even convincing them to drop their customers—particularly in foreign jurisdictions where the sale of such goods may not be illegal—is unlikely to be successful in any long term structural way. I suspect, the interesting part of this question is on the domestic issuing side.

The entire spam ecosystem is ultimately monetized with US dollars, from US consumers, transferred from US banks via US issuers. If one was to convince US _issuers_ to refuse to authorize card-not-present transactions (perhaps with particular MCCs) with those acquiring banks whose spam-advertised customers are selling goods illegal in the US it would demonetize the entire enterprise. Now there are significant questions about whether one should even try to do such a thing and whether there is the political will if so, but its a much easier problem than going after the foreign merchant banks—those are indeed hard targets. Indeed, the key weakness here is not that there are few merchant banks (although that’s a bonus), but rather that one can discover new banking relationships _quickly_ (e.g., just place a purchase and check the authorization transaction a minute later). By contrast, establishing new banking relationships for a sponsor organization (or more likely their high-risk payment processor) is slow (days) and expensive. This is one of those rare asymmetries that favors the defender.

While alternative payment systems could create new challenges, the footprint for these is tiny by comparison to the existing card association networks. Remember, this isn’t about criminals exchanging money bilaterally (for which they have lots of great alternatives) its about extracting money from consumers. If the only way the average consumer can purchase a fake Rolex is to participate in Hawala I guarantee that purchases will go way down :-)

- Stefan

One more point to note Suresh Ramasubramanian  –  May 23, 2011 4:59 AM

People buying cheap pills online are, by and large, willing initiators of the transaction who either can't afford US drugstore prices for medicine or feel embarrassed going to their doctor for an "infertility cure". Herbal cures are not explicitly illegal. And if the medicine is not, say, a narcotic, steroid or other explicitly controlled substance that's illegal to sell without a prescription, a lot of it is available over the counter. So, the usual triggers for US card issuing banks to ban CNP transactions against particular merchant accounts are entirely absent. Especially, the trigger about there being extremely low chargeback levels. People buying, for example, "viagra" usually get either generic sildenafil citrate pills, or various indian or chinese herbal aphrodisiacs for their money. Sure, the pills arrive packaged in unlabeled ziploc bags and made at factories with possibly dubious safety standards. This is more easily addressed by the US FDA (which does have offices in India and China and routinely works with local law enforcement to crack down on shady pill factories). People buying these pills don't get shipped, say, a blue colored pill made of colored chalk or talcum powder. [That would be mail fraud, and end up attracting a lot more and better funded law enforcement attention than the FDA can summon in a case that doesn't involve dangerous prescription drugs]. Narcotics getting shipped without prescription would attract the DEA and FBI as well - such shipments get cracked down as part of the overall "war on drugs", with banks wary of money that goes to fund organized crime, terrorism etc so they'd willingly crack down on that type of operation as well - denying CNP in such cases isn't going to be too difficult. So - I haven't had time to more than barely skim through your abstract, but would be glad to know if you categorized the pill sales processed through these banks. Is there any significant pattern like "viagra gets channeled more through say denmark, while the truly illegal stuff like vicodin etc goes through say Azerbaijan"? [countries mentioned are indicative] thanks -srs

Savage is correct. The three merchant Jeff Chan  –  May 29, 2011 8:11 PM

Savage is correct.  The three merchant banks they identified *are* the weak link in the spam logistical chain.  I really don’t see typical consumers of spammed pills trekking down to their local hawala to arrange payment, signing up for e-gold or its successors, etc.  Credit cards are used because they are familiar, convenient and ubiquitous.  The alternate payment methods are much less so.  Whether the credit card companies or banks have the courage or moral rectitude to actually do anything about it is questionable.  And so cybercrime continues….

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API

New TLDs

Sponsored byRadix


Sponsored byVerisign

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC


Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global