• The Economics of Spam

    Given yesterday's events I thought I'd share a bit of a writeup I did elsewhere on Spam so people can understand it (and to defend against your enemy you have to know it).

    Spam, like all "hacking", falls roughly into two basic categories, criminal profit and digital vandalism. Early on more activity was the latter. This can be just "kids" (aka "script kiddies" in some parlance) showing their prowness, maybe a bit of self promotion, for "pwning the man". More recently it's become more organized with hacking for political purposes ("hactivism") to active attacks for denial of service by "national interests" (ie: governments or closely related entities).

    The other side of the coin is economic gain. For other hacking it's easy to see the route to money, but a question often asked is how to people make money from spam?

    At a basic level there's a few fundamental ways people make money from spam:


    • Harvesting valid emails.
      • Valid emails have a dollar value on the malware black markets. By sending spam they can verify the email is valid several ways, and the better the verfication the higher the value of the email.
        • It doesn't bounce (lowest)
        • Cookies or "web beacons" (embedded images)
        • Read receipts
        • Replies (higher)
        • Clicking links (highest)

    • Selling stuff
      • Watches, sexual drugs, porn, etc.
      • Ironically many emails appearing to sell stuff are not really selling anything and are in fact one of the other activities.

    • Deliver malware - directly or indirectly ("Spearphishing")
      • Either in the email itself or a malicious website after a link

    • Develop and Test malware
      • Confirm the efficacy of a "zero day" (see below)
      • The street value of a real good zero day can be $1000s or even more for an especially juicy one
      • The plus side of these is the attack is usually harmless. They want to notify success and then cleans up - like a burglar that picks your lock, looks around and maybe makes a phone call to confirm success, and then leaves while wiping down for prints and re-locking the door behind him

    • Pump and dump
      • Pushing some small stock. it sounds stupid but early on it worked well. Small issues like penny stocks with low volumes can be greatly influenced by an unexpectedly small bump in activity. Often times the actors drive it both ways. A bunch of emails say sell, crashing. The actor picks it up on a discount, then buy, and sell for a profit. Although it turns out the way psychology and markets work it often pays better to do it the other way and make money by "shorting" the issue.


    "Phishing" is a technique to disguise spam. "Spearphishing" is using phishing in a targeted attack to deliver malware onto a users system. Many of the large compromises start with a spearphishing attack.

    Of these spearphishing is the most dangerous to the end user. These attacks are almost always done with the goal to gain access to network resources and steal data. In the case of criminals it can be financial data or other "PII" (personally identifiable information) useful for engaging in identity theft. In the case of state interests it's often industrial and commercial data - source code, designs, etc. Some of these attacks take years with a specific goal - these are called "APTs" - advanced persistent threats.

    Advanced attacks often use "zero days" - attacks against vulnerabilities that aren't known and have no published defense or patch.

    A short example of a very large compromise:


    • A link in a spearphishing email to a marketing employee at a company called RSA is clicked.
      • That email takes to a link that exploits a "zero day" vulnerability to download a file ("drive by download") that implants a trojan onto that users system

    • Through that trojan agent a series of follow on attacks ultimately steals the source code and "private keys" to the RSA security tokens. These tokens are widely used for "two factor" authentication for VPNs, email and other critical infrastructure.
    • RSA tokens are widely used in the defense contractors and military.
    • Somebody uses the knowledge to gain access to Lockheed-Martin and other defense contractors VPNs and Web email
    • Further attacks steal or attempt to steal classified weapons designs and code


    This type of attack is not Tony Soprano doing an internet shakedown - it's "state interests" and similar actors.

    As many know - it can be difficult to impossible to fully defend against a focused attack especially with a large body of code and a large user base. But those types of attacks are done either because of serious passion (a real big axe to grind) or economic gain. So for any smaller operator the things to do security wise are normal best practices against existing and known threats as well as typical potential threats and best practices to isolate and minimize exposure if there is success. Much like locked doors and good lighting, most defense about making it hard enough to the bad guys to they move onto the next victim.
Single Sign On provided by vBSSO