Last week, I read Ed Falk’s blog post on The Spam Diaries where he commented on a possible solution to the spam problem. He himself was commenting on a study done by researchers out of the University of California where they discovered that credit card transactions for stuff bought in spamvertisements are handled by three companies: one in Azerbaijan, one in Denmark and one in the West Indies. Presumably, if security experts and law enforcement went after these companies, spammers would have their financial supply cut off. No money = no incentive to spam.
Most anti-spam experts believe that cutting off the financial chain is akin to disabling botnets. After an initial disruption, spammers simply would move onto another credit card processing company similar to the way they rebuild their botnets.
It’s not quite that simple for the spammers. For a spammer to rebuild their botnet, they have to send around new malware and compromise many tens of thousands of users. The pool of available candidates is huge, in the millions. In order to process their financial transactions, there’s a lot less people doing it. How many companies in the world provide that service?
In malware and spam, the resources that spammers use are unknowing victims. I’m going to give these credit card companies the benefit of the doubt and that they don’t know that their services are being used as a pivot point in online fraud. The owners of the servers in the United States didn’t know that they were hosting C&C servers for the Rustock botnet, and most of the higher ups in Abbottabad didn’t know that bin Laden was in their backyard (I’m still using bin Laden to drive traffic to my site; still not working). But as soon as they were informed, they suddenly became a lot more vigilant (like everyone else).
Getting the money out of their scamware is one of the major bottlenecks for spammers. They can’t just transfer huge sums of money overseas because law enforcement agencies are looking for that sort of thing. They would be detected. Reducing the number of eligible bottlenecks for spammers makes it less cost effective to conduct spam. So while they could always go somewhere else, the fact is that they have to get the money out somehow and if they can’t get the money out and it’s a pain to go elsewhere, maybe that could have an effect on the spam problem.
It’s entirely possible that the companies that are processing spam payments are not complicit, just inept. They don’t know that they are assisting all this online fraud and have limited budgets with a paper thin IT staff that knows little about security. If law enforcement came knocking on their door, they’d either straighten up and fly right quickly or else risk being shut down. Getting shut down is bad for business.
Thus, while my compatriots are pessimistic that this latest piece of research is meaningful, I have a different view. I think that if the financial chokepoints of spammers were cut off, they’d… hmm… would they really go away?
Now I’m not sure.