If Fake Anti-Virus Software Doesn’t Get You, Something Else Will.
A Russian security researcher who heads Canada’s virus lab, Sophos, has recently shown how most spam on email, search engines and social networking sites originates with ‘affiliate networks’. These networks pay generous commissions to geeks who refer unsuspecting web users to their illegal products. Not only are they selling fake anti-virus software but also illegal penis pills, fake watches and other counterfeit luxury products. Whatever it is that might take your fancy, if you get caught out by these people they can do a lot of damage. Good computer forensic work is the only thing that can help you detect their presence and grapple with it.
In a paper for the Virus Bulletin Conference September 2009, Dmitry Samosseiko outlines how scareware, ‘Canadian Pharmacy’ spam, adult sites, and comment spam on forums and blogs have plagued the web and email world of most people in the past few years. But what, he asks, links these things together? What makes them grow in volume and complexity? Who is behind them? What business model drives the perpetrators’ profits to millions of dollars annually?
The answer is hundreds of well-organised Russian affiliate networks known as “partnerka”, which have coalesced to form a booming business industry. Thousands of affiliates, each calling themselves ‘webmasters’, work day and night to drive as much user traffic to their partners’ stores as possible, raking in thousands of dollars in the process.
Samosseiko says the first serious book about spam and spammers that he read was Spam Kings by Brian S. McWilliams in 2004. In this, the ‘pioneers’ of the email spam industry ran their businesses in a small family way. Relying on nothing more than help from their relatives, they handled the entire process chain themselves: harvesting email addresses, authoring message content, sending bulk emails, processing orders, rapidly switching their Internet service providers and, at a later stage, running from the FBI or being jailed. Since then, many countries have established anti-spam laws governing the use of email communications and marketing. While legislation was not expected to eliminate spam and make spammers extinct, it did criminalize their activities, making them a punishable offence and as a result a much riskier endeavour to engage in.
So, the second generation of spammers had to become a more organized and secretive group, forming professional spam outfits or collaborating online, where ‘bot herders’ could find their ‘sponsors’. The peak of their evolution, however, was the adoption of affiliate marketing methods in order to distribute responsibility for different spam tasks and to expand the army of ‘advertisers’.
The affiliate marketing models work well for products with large profit margins. Generic drugs produced without a licence, pornography, pirated software, casinos, dating services top the list. These are the sorts of topics we commonly see in email and web spam, Samosseiko says, but few people are aware that each theme is backed by numerous affiliate organizations with thousands of advertisers. Another fact, known to security industry researchers, is that the majority of the most powerful and controversial affiliate networks are based in Russia. These refer people to the networks’ products by setting up scores of bogus web pages and commanding botnet armies of infected computers to send spam. They use black hat search engine optimisation (SEO) techniques – and even monitor search term trends – to ensure that their pages appear towards the top of search results.
Software tools such as John22, A-Poster, Xrunner, DarkMail and ZennoPoster automate much of this process, including generating seemingly legitimate websites based on content from Wikipedia articles. The affiliates are paid a commission for every product they sell or for every computer they infect with malware, depending on the scheme they’re involved in. Samosseiko points out that just as Web 2.0 is about user-generated content, today’s web and email spam (Spam 2.0?) is generated by a massive number of affiliates who direct traffic to a partner site to get their share of the revenue.
One of the oldest and largest affiliate networks is know as GlavMed, which sells bogus pharmaceuticals under brand names like ‘Canadian Pharmacy’. Although GlavMed claims to have a strong anti-spam policy, searching its support phone number reveals over 120,000 online pharmacy sites selling generic drugs. It advertises a 40% commission fee on each sale. Assuming the cost of an average purchase is around $US200, even a couple of purchases a day become a good source of income. During Samosseiko’s research, he came across a log file of purchases made on ‘Canadian Pharmacy’ websites advertised in email spam. This data revealed over 200 drug purchases per day per spam campaign, which can lead to $US16,000 in payments. Of course, GlavMed is a mere drop in the ocean of the bogus pharma business.
Scareware, which is malware that convinces users that their computer is infected with thousands of viruses, before offering to sell them fake anti-virus software to fix the so-called infections, is the most prevalent of today’s Internet threats. One scareware vendor, Topsale2.ru, says on its website that it only accepts traffic from Canada, Australia and the US and pays up to $US25 commission for each fake anti-virus software sale. It claims the average member can make a commission of almost $US5,000 in the space of only eleven days.
Samosseiko explains how a successful webmaster can make over $US180,000 per year on this network alone from traffic averaging 10,000 visits per day. “Assuming that most webmasters direct their traffic to more than one sponsor at a time,” he says, “it is no surprise that affiliate marketing and black SEO are extremely appealing career paths for a computer savvy person in Eastern Europe.”
Samosseiko believes that affiliate web marketing has also been the main driving force behind the recent explosion in malware, website infections, email spam and general web pollution.
