How Modern Spam Works
May 21, 2011 9:42 AM   Subscribe

This report is important. There's a lot of organized crime on the Internet: spam networks, botnets, denial-of-service extortion, etc. The security nerds have all been focussed on the front end, tracing the botnets and their command and control systems. But attacking it from the back end, from the payment processing side, seems equally valuable. The problem is it takes interest from law enforcement or financial services companies to pursue. I doubt the police in Azerbaijan are going to follow up on this, but maybe Visa will.
posted by Nelson at 9:44 AM on May 21, 2011 [2 favorites]

Also if a 16 page PDF is too long for you, this NYTimes article is a good summary. Also Technology Review, which has an interesting graphic.
posted by Nelson at 9:46 AM on May 21, 2011 [7 favorites]

One, among the many, interesting things in the paper is this, "Finally, for a subset of the sites . . . we also purchased goods being offered for sale. We attempted to place multiple purchases from each major affiliate program or store “brand” . . . . We attempted 120 purchases, of which 76 authorized and 56 settled [10]." Footnote 10 reads, "Almost 50% of these failed orders were from ZedCash, where we suspect that our large order volume raised fraud concerns." It seems funny that spammers worry about people scamming them. The paper continues with, "Of those that settled, all but seven products were delivered. We confirmed via tracking information that two undelivered packages were sent several weeks after our mailbox lease had ended, two additional transactions received no follow-up email, another two sent a follow-up email stating that the order was re-sent after the mailbox lease had ended, and one sent a follow-up email stating that our money had been refunded (this refund, however, had not been processed three months after the fact)." It was surprising to read that some spammers actually have some form of customer service.
posted by Jasper Friendly Bear at 10:16 AM on May 21, 2011 [3 favorites]

I'm genuinely shocked that they actually received any merchandise. I thought it was just a given that when responding to spam you were just handing over cc numbers.
posted by COBRA! at 10:29 AM on May 21, 2011 [3 favorites]

So, do I get it right? They are saying that it is pretty safe to buy from spammers?
posted by dominik at 10:58 AM on May 21, 2011

I'm not sure I would call buying unlicensed FDA un-approved prescription pharmaceuticals from India "safe".
posted by Avenger at 11:10 AM on May 21, 2011 [2 favorites]

If you're happy with a <50% success rate and dealing with organized crime, sure, it's safe.
posted by hattifattener at 11:23 AM on May 21, 2011 [1 favorite]

It was surprising to read that some spammers actually have some form of customer service.

It's not that surprising at all. Think about Viagra or some other drug. If you buy from a spammer once you'll probably be a repeat customer for sure.
posted by delmoi at 11:40 AM on May 21, 2011

FYI: Just because the pharmaceutical spammers might actually ship things doesn't mean anyone should actually go with the spam they get. If someone was really interested, they should instead spend a little bit of time doing research and Googling. Might as well spend a lot less money to get some dodgy meds from India than to spend more and give it to those spamming jerks for dodgy meds from India.
posted by floam at 12:16 PM on May 21, 2011 [2 favorites]

I guess I always assumed that the money to be made in spamming was in selling "MAKE MONEY FAST" kits consisting of mailer programs, emails, and some crap to offer. I figured it worked like MLM, where the money was in selling the system to people, not in the actual merchandise.
posted by Legomancer at 12:30 PM on May 21, 2011

Hi Metafilter! I'm an author on this work and will try to answer any questions people have about it. It was a long process, involved a lot of people, but was great fun too.

Jasper, an important thing to note about these businesses being 'scammed' is that most of the purchases they deal with are credit card transactions - the 'power' in that customer-merchant relationship lies almost completely with the customer. If you were to not receive some goods, or not receive what was ordered, it is simple to call your credit card company and have them refund you your money. If enough of these chargebacks happen, the merchant bank or payment processor might drop the spammer as a client or increase fees, both of which are bad for business.

Overall, the level of customer service was pretty impressive. Some of the affiliate programs that we purchased from would immediately call the phone number associated with the purchase to verify that we indeed made it, follow-up communication via email was very popular, and some of the sites even had live chat help.

The specific situation with ZedCash was a little funny. We had been ordering from several of their storefronts initially thinking that they were all part of different spamming programs - we were ordering from them far more often than other programs, sometimes several identical orders from different people at the same shipping/billing address on the same day. I was in charge of making the orders and receiving the goods for this part of the study - this meant that I was carrying two prepaid phones and my personal cell and receiving calls for about a dozen different aliases. We were using a different email address for each transaction (to track order emails as well as any possible subsequent spam), but weren't able to make up a different name or phone number for every one. So one day someone called (who sounded very clueful, not your standard first-level customer service rep) asking about an order "I" had made, and why I was using the same name but different email addresses every time. I told her it was for privacy reasons and I don't like giving out my real email address, and she said something like, "right. thank you." and hung up. And then after that all of our ZedCash orders got cancelled.

Had you told me when I came to grad school in computer science that I would be buying drugs, carrying burner phones and answering phone calls as names like "Sanjoy Sanchez," I probably would not have believed you. But at this point it has been a lot of fun and this is research I really believe in and am glad to be doing.
posted by kaytwo at 12:33 PM on May 21, 2011 [146 favorites]

You should test the drugs to see if they are the rights stuff, check for impurities, that kind of thing.
posted by delmoi at 12:48 PM on May 21, 2011 [2 favorites]

Mass spec analysis showed that the correct active ingredient was present in roughly the same concentration in the pills we ordered compared to the store-bought brand version of the drug.
posted by kaytwo at 12:56 PM on May 21, 2011 [27 favorites]

Kaytwo, thanks for coming by and filling in the picture some more. This is fascinating, important work and it sounds pretty fun along the way!

Following on delmoi's comment and your reply, I want to still strongly suggest to folks that they get drugs through legitimate means rather than through the spam route. There is more to a pill than the active ingredient--for instance, binders, fillers, formulation, etc--and those things are very tightly regulated in the US. These things can absolutely affect the safety and efficacy of the active ingredient. Not worth the risk.
posted by Sublimity at 1:03 PM on May 21, 2011 [1 favorite]

Wow, I'm astonished that the drugs actually contained what they were supposed to contain. Any contaminants?

I guess it's like cocaine or heroin dealers—they want repeat customers, so you mostly get real drugs. And you run the same risks of contamination or fakery.

What's scary to me is that the illegal and legal pharma supply chains seem to be converging in the sense that the regulation isn't adequately policing the legit ones, so much so that the differences begin to blur. This, of course, can result in disaster—but it is disaster for which there's at least legal relief.
posted by Maias at 1:54 PM on May 21, 2011

Mass spec analysis showed that the correct active ingredient was present in roughly the same concentration in the pills we ordered compared to the store-bought brand version of the drug.

Wow, that really surprises me. I would have expected that they were mostly shipping blue-tinted sugar pills, not actual Viagra.
posted by Forktine at 1:56 PM on May 21, 2011 [1 favorite]

Any contaminants?

I wish I could answer this question, but my expertise in mass spectrometry and any other contaminant-identification methods is pretty limited. We still have quite a few samples and if anyone has any good ideas on how to identify what other trace/non-organic compounds are in these pills I'm all ears.
posted by kaytwo at 2:10 PM on May 21, 2011 [1 favorite]

From Nelson's second link: "the payments for a representative sample of spam transactions went through just three banks: one in Azerbaijan, another in Denmark, and a third in Nevis, West Indies."

Anyone know the name of the Danish bank?

Seems to me that one of those three countries is very different from the other two.
posted by AwkwardPause at 2:18 PM on May 21, 2011

Interesting. I guess if I want to buy pharms sans script, I'll go with spam!

Science for the win.
posted by adipocere at 2:34 PM on May 21, 2011

About the Danish bank, I'll quote my advisor from a different Internet discussion:

I suspect the connection is via DnBNord... the bank in our study was the Latvian branch, but I believe the headquarters are in Copenhagen (although as I recall the whole lot may be owned by DnB NOR in Norway.)

The full list of banks is in the paper in Table V.
posted by kaytwo at 3:16 PM on May 21, 2011

Well, it is a pretty big shock to me to consider that there are any actual products exchanged through spam - but now that I'm reading that - it doesn't surprise me that the drugs are real. The Indian pharmaceutical industry is large and legitimate and buying drugs that way is pretty cheap.
posted by serazin at 6:22 PM on May 21, 2011 [2 favorites]

Definitely real. A while back a tranquiliser-loving but classy flatmate ordered online and she would let us try things like Modafinil. I've never been so focussed in my life. Around hour 36 I felt an angelic presence. And I'm not religious. Order online for some incredible great things which chemistry can do to your body! Ehm, I'd still prefer no spam though.

just three banks provide the payment servicing for over 95% of the spam-advertised goods in our study.

I'm marvelling at the achievement of this paper and hope these three banks can be made to stop providing service to spammers, for a start. Worthwhile even if the "value" isn't going to go away.
posted by yoHighness at 6:58 PM on May 21, 2011 [2 favorites]

This is a great thread (and an excellent post).
posted by CCBC at 1:54 AM on May 22, 2011

"You follow drugs, you get drug addicts and drug dealers. But you start to follow the money, and you don't know where the fuck it's gonna take you." -Lester Freamon
posted by softlord at 8:22 AM on May 22, 2011 [40 favorites]

A friend who works credit card fraud for an on-line porn company says that chargeback rates in excess of 1% will get your credit card processing cancelled. He also says their big problem is finding banks who will handle their account -- it's in excess of $1 million a month. I don't know if the problem is what their business is or their volume.

These anecdotes suggest two things:

1) spammers do customer service to maintain their credit card processing; and

2) the small number of banks is because of the difficulty of finding a bank that will handle these transactions.

One conclusion is that going after the banks and credit card processors may be a more fruitful process than going after the spammers themselves. Just to totally restate to obvious.
posted by warbaby at 9:14 AM on May 22, 2011

I’m always amazed when someone connected to an FPP pops in to comment. Thank you kaytwo for providing those behind-the-scenes details. That’s fascinating!

Along with the pharmaceuticals appearing to be legitimate, it also seems like the software purchased from the spammers was legitimate too.

"We stored software purchases on a secure hard drive, checked for viruses using Microsoft Security Essentials and Kaspersky Free Trial, and compared against other copies of the same software (including a reference version that we owned).
. . .
Finally, purchased software instances were bit-for-bit identical between sites of the same store brand and distinct across different affiliate programs (we found no malware in any of these images)."

As others have already mentioned, I’m shocked that some spammers appear to be actual businesses (though with horrible advertising strategies) and not simply people out to steal credit card numbers.
posted by Jasper Friendly Bear at 9:44 AM on May 22, 2011

> how to identify what other trace/non-organic compounds are in these pills

I'm also surprised that these businesses actually deliver a real product most of the time. Anyway, to offer a few suggestions, you might start by looking in the United States Pharmacopeia-National Formulary for the monograph on the specific drugs you have. The website requires an account but there's a good chance you can find a physical copy in your university library. There will be a bunch of assays required for QC of each product, and the standards that each batch must meet. There are often limits on impurities as well, but these tend to be very focused (e.g. decomposition products of the active ingredient) and don't include random crap like pesticides or whatever.

There are commercial analytical labs that can do these tests but they are usually quite expensive, partly because you will get a bulletproof FDA-acceptable paper trail. If you're just doing this to satisfy your curiosity, you might be able to find some labs in the Chemistry or Biology Department that could take this on as a student project. The equipment required is usually pretty standard stuff that most biochemistry labs would have.

To test for completely random crap is quite difficult. You need to make some kind of guesses about what kind of crap you're looking for - heavy metals, plasticizers, solvents, etc. Even mass spec, which is pretty broad-spectrum, will only pick up stuff in the right M/Z range. If you can finagle a contact at one of the companies that make the legitimate product, they are the best people to know about likely contaminants.

Lastly, the scuttlebutt I heard a few years ago about counterfeit pharmaceuticals is that a lot of these "third shift" products were pretty good since they were made at the same factories using the same equipment and raw materials as the real thing. (This part was off-the-record, since nobody wanted to admit that sometimes the counterfeits could be OK.) The real problem (totally on the record!) is that sometimes a third-shift batch would get screwed up - usually by containing too little active ingredient - and sold anyway. I didn't hear too much about contaminants, just inconsistent levels of active ingredient. But that's a real problem, make no mistake!

Here's an FDA page on counterfeit pharmaceuticals. If your samples aren't counterfeits, just clearly-labeled generics or knock-offs made under a different brand name, their quality standards might be better. I don't know anything about those, I'm just recounting the gossip about counterfeits.

If you need an undercover biochemist, I'm available.
posted by Quietgal at 12:06 PM on May 22, 2011 [14 favorites]

So to kill all of the spammers, you could just chargeback them out of business?
posted by popechunk at 7:56 PM on May 23, 2011

We were using a different email address for each transaction (to track order emails as well as any possible subsequent spam), but weren't able to make up a different name or phone number for every one.

So there really is a future for English majors.
posted by storybored at 6:03 AM on May 24, 2011 [1 favorite]

popechunk - in theory, yes. In practice, getting above 1% chargeback rate might be difficult on a voluntary basis because of the volume.

I'm thinking that if every member of the House and Senate got mailed a copy of this, along with a letter explaining the problem and the proposed legislative solution, spam might end up the way on-line gambling and prescriptions by mail did. Not totally gone, but seriously diminished in volume.

If VISA can cut off Wikileaks, how come they continue to enable spam? I'd be interested to hear their lame excuse, just for the entertainment value.
posted by warbaby at 7:15 AM on May 24, 2011 [2 favorites]

Perhaps an interesting study to juxtapose: prescription drug abuse correlates with high-speed internet access.
posted by unsound at 3:01 PM on May 24, 2011