http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9027299 By Jeremy Kirk July 18, 2007 IDG News Service "Ed," a retired spammer, built a considerable fortune sending e-mails that promoted pills, porn and casinos. At the peak of his power, Ed says he pulled in $10,000 to $15,000 a week, storing the money in $20 bills in stacks of boxes. It was a life of greed and excess, one that preyed especially on vulnerable people hoping to score drugs or win money gambling on the Internet. From when he was expelled from high school at 17 until he quit his spam career at 22, Ed -- who does not reveal his full name but sometimes goes by Spammer-X -- was part of an electronic underworld profiting from the Internet via unsolicited commercial e-mails. "Yes, I know I'm going to hell," said Ed, who spoke in London today at an event hosted by IronPort Systems Inc., a security vendor owned by Cisco Systems Inc. "I'm actually a really nice guy. Trust me." Quick-witted and affable, and sporting an earring, there was a time when Ed wasn't so nice. He sent spam to recovering gambling addicts enticing them to gambling Web sites. He used the e-mail addresses of people known to have bought anti-anxiety medication or antidepressants and targeted them with pharmaceutical spam. In short, Ed said he was "basically what people hate about the Internet." He spent 10 hours a day, seven days a week studying how to send spam and avoid filtering technologies in security software designed to weed out garbage e-mail. Most spam filters are effective 99% of the time. Ed aimed for that remaining window, using tricks such as including slightly different images in his spam, which can fool filters into thinking the e-mail is legitimate. "The better I got at spam, the more money I made," Ed said. He would start a spam run by finding an online merchant who wanted to sell a product. Then he'd acquire a list of e-mail addresses, another commodity that has spawned its own market in the world of spam. He'd also set up a domain name, included a link in a spam message that, if clicked, would redirect the recipient to the merchant's Web site, enabling Ed to get credit for the referral. The spam would then be sent from a network of hacker-controlled computers, called botnets. Those machines are often consumer PCs infected with malicious software that a hacker can control. Ed would "rent" time on those computers from another group of hackers who specialized in creating botnets. If one of the spam recipients bought something, Ed would get a percentage of the sale. For pharmaceuticals, the commission was around 50%, he said. Response rates to spam tend to be a fraction of 1%. Ed said he once got a 30% response rate for a campaign. The product? A niche type of adult entertainment: photos of fully clothed women popping balloons. To track the money, merchants set up a "referral sales page" where spammers can see how much they make from a spam run. Ed would log in frequently, watching the money increase. He was paid into electronic payment transfer accounts, such as e-gold or PayPal, or into his debit card account, which he could cash out in $20 bills. That was a problem when the cash became voluminous. He says he made $480,000 in his last year of spamming. But the lifestyle of being a spammer was taking a toll. In essence, he had no life. It's hard to go into a bar and explain your job to a woman by saying, "I advertise penis enlargement pills online," Ed said. "It doesn't go down very well." He rationalized his actions by saying spamming is not like robbing someone, although the lurid impact of spam was clear. Some 9 million Americans have some dependence on prescription drugs, Ed said, and he noticed that the same people were buying different drugs each month. "These were addicts," he said. In addition, he said, "the product is always counterfeit to some degree. If you're lucky, sometimes it's a diluted version of the real thing." Viagra is cut with amphetamines, and homemade pills are common from sketchy labs in countries such as China, India and Fiji, Ed said. So Ed got out of the business. He has written a book, Inside the Spam Cartel: Trade Secrets from the Dark Side [1] (Syngress, 2004), which he said has drawn interest among law enforcement officials eager to learn more about the spam business, which he predicted will only get worse. As broadband speeds increase, spammers will increasingly try to market goods by making voice-over-IP calls or sending out videos, Ed said. The ultimate unsolvable problem is users who continue to buy products marketed by spammers, making the industry possible. "I think in 10 years, we'll still get spam," Ed said. "Be prepared to be bombarded." [1] http://www.amazon.com/exec/obidos/ASIN/1932266860/c4iorg _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Wed Jul 18 2007 - 22:37:22 PDT