We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
79,812 News Articles

Storm Viagra spam generates £1.6m a year

But profit margins are tight for hackers

Spam that's used to peddle drugs such as a Viagra through the Storm botnet is generating as much as £1.6m per year for hackers, according to researchers.

The computer science department of the University of California carried out a study by infiltrating the Storm botnet, a robust peer-to-peer system that commands millions of hacked computers to send spam campaigns.

Researchers modified Storm's command-and-control system to insert their own links in spam messages that lead to websites they created instead of the one's spammers were advertising.

One of the websites advertised pharmaceuticals, and the other mimicked an e-postcard site. E-postcard spam often leads to websites that try to infect PCs with malicious software that causes the machines to send Storm-related spam.

Both sites the researchers created were harmless: The drug site would return an error if someone tried to buy something, and the e-postcards site contained a benign executable. The sites reported attempted purchases and whether the executable ran.

The researchers monitored how many messages reached inboxes and whether the messages lead to a purchase or infected a PC with malware.

Over the course of the spam campaigns, some 469 million emails were sent. Of the 350 million pharmaceutical messages, 10,522 users visited the site, but only 28 people tried to make a purchase, a response rate of .0000081 percent.

"However, a very low conversion rate does not necessarily imply low revenue or profitability," the researchers said.

The average purchase price was $100 (£64). Calculating how much pharmaceutical spam Storm sends out daily, revenue could top $7,000 (£4,500) per day. Per year, revenue would top $2.5m (£1.6m).

"This number could be even higher if spam-advertised pharmacies experience repeat business," they wrote.

Still, sending spam is expensive. It would cost upwards of $25,000 (£16,100) to send 350 million messages, which is too much to likely make a profit on the conversion rate observed.

The researchers said it suggests a business model where those running the Storm botnet are also involved in running the drug websites.

"If true, the hypothesis is heartening," they wrote. "It suggests that the third-party retail market for spam distribution has not grown large or efficient enough to produce competitive pricing."

The upshot is that spammers and Storm network operators may be working on tight margins to make a profit, and their campaigns are "economically susceptible to new defences", the study said.

The response rate to spam luring people to e-postcard sites was higher. The researchers estimated that a Storm self-propagation campaign, which seeks to infect new PCs to maintain the network, could result in 3,500 to 8,500 new bots per day.

See also: Spammers profit from one in every 12.5m people

Visit Security Advisor for the latest internet threat news, FREE net threat email newsletters, and internet security product reviews

Visit Broadband Advisor for the latest internet news, reviews, tips & tricks


IDG UK Sites

Samsung Galaxy Note 4 vs Samsung Galaxy S5 comparison review: Samsung's best ever smartphones...

IDG UK Sites

Nostalgia time: Top 10 best selling mobile phones in history

IDG UK Sites

How Ford designs next-generation cars at its Melbourne Design Centre

IDG UK Sites

Apple 15-inch MacBook Pro with Retina review and the mystery of the processor benchmarks