University-based researchers unraveling worldwide spam scams

The National Science Foundation has recently awarded a five-year grant totaling $10 million to three separate universities whose researchers have been trying for years to map out the anatomy of worldwide email spamming scams, and now plan to broaden their research to include worldwide social networking scams.

The three universities that will participate in this ongoing sleuthing effort are George Mason University (where the principal investigator is Damon McCoy, an assistant professor); University of California at San Diego (where the principal investigator is Stefan Savage) and University of California at Berkeley (where the principal investigator is Vern Paxson), according to McCoy, who spoke with Government Security News on Oct. 4.

Through an exhausting effort to trace each and every step in the chain of participants in a wide variety of existing email scams -- some witting participants and others unwitting -- this group of academic researchers has already mapped out the typical scenario in which an unsuspecting consumer is lured into a global email scam. To illustrate this effort, McCoy outlined one such scam, involving a real-world “affiliate program” based in Russia called “Mailien.”

“A lot of these scams are very complicated,” McCoy told GSN. “No one pulls off a scam from soup-to-nuts anymore.” Among the participants in such a scam might be the ‘Affiliate Program,” which spearheads the overall operation and pays a commission to any of its “Affiliates” that happens to deliver a consumer to the affiliate program’s Website. In the scam described by McCoy, the Affiliate Program called Mailien worked with a particular affiliate which, in turn, controlled a bot network called Grum, which used a Russian domain at .ru. That domain was called medicshopperX.ru, said McCoy.

The domain server for medicshopper.ru was not based in Russia, he added, but was located in China. Internet messages from consumers which reached that server in China were forwarded to a “proxy server” based in Brazil, and then forwarded again (and perhaps again) to additional proxy servers, explained McCoy. Eventually, a consumer based anywhere in the world would reach a server, controlled by Mailien, which sat in Russia.

Assuming the consumer -- some consumer, somewhere on the planet – decided he wanted to purchase the discount pharmaceuticals being offered, he would whip out his credit card and type in his personal information on Mailien’s Website. That banking data would go through his own personal bank, through Visa’s network (or another credit card company’s network), and then to a merchant bank, which had been selected by Mailien and was obliged to pay Mailien for any credit card purchases.

According to McCoy, the culmination of the earlier research by the three cooperating universities was the conclusion that about 95 percent of all of the bogus email scams they had studied had used only three merchant banks – in Azerbaijan, St. Kitts and Latvia. The resulting publicity about their research (particularly in The New York Times) has led to the Latvian and St. Kitts banks ceasing to participate in these email spamming scams, and the merchant bank in Azerbaijan “seems to be coming around, as well,” said McCoy.

Under the new research effort, which should unfold during the next five years, approximately 30 to 40 professors, researchers and grad students will continue mapping out the anatomy of these bogus operations, McCoy explained. They will attempt to identify additional weak points in these illicit networks, and will put a particular focus on understanding how scams built on social networks, such as Facebook, are similar and different from those powered by email.