'Click Trajectories: End-to-End Analysis of the Spam Value Chain' is a scholarly research paper reporting on a well-designed study of the way that spam works, from fast-flux DNS to bulletproof hosting to payment processing to order fulfillment. The researchers scraped mountains of spam websites, ordered their pills and fake software, and subjected it all to rigorous comparison and analysis. They were looking for spam ecosystem bottlenecks, places where interdicting one or two companies could have a major impact on spam.
Figure 1 illustrates the spam value chain via a concrete
example from the empirical data used in this study.
On October 27th, the Grum botnet delivered an email
titled VIAGRA R Official Site. The body of the mes-
sage includes an image of male enhancement pharma-
ceutical tablets and their associated prices (shown). The
image provides a URL tag and thus when clicked
directs the user's browser to resolve the associated domain
name, medicshopnerx.ru. This domain was registered by
REGRU-REG-RIPN (a.k.a. reg.ru) on October 18th --
it is still active as of this writing. The machine providing
name service resides in China, while hosting resolves to a
machine in Brazil. The user's browser initiates an HTTP
request to the machine, and receives content that renders
the storefront for 'Pharmacy Express,' a brand associated
with the Mailien pharmaceutical affiliate program based in
Russia.
After selecting an item to purchase and clicking on
'Checkout', the storefront redirects the user to a payment
portal served from payquickonline.com (this time serving
content via an IP address in Turkey), which accepts the
user's shipping, email contact, and payment information, and
provides an order confirmation number. Subsequent email
confirms the order, provides an EMS tracking number, and
includes a contact email for customer questions. The bank
that issued the user's credit card transfers money to the
acquiring bank, in this case the Azerigazbank Joint-Stock
Investment Bank in Baku, Azerbaijan (BIN 404610).
Ten days later the product arrives, blister-packaged, in a
cushioned white envelope with postal markings indicating
a supplier named PPW based in Chennai, India as its
originator.
Click Trajectories: End-to-End Analysis of the Spam Value Chain (PDF)
(via MeFi)
"
Comments