Spam spam spam spam Spammers can turn a profit even if they only get one response from every 12 million emails they send. When you see a ridiculous spam message and think, who in their right mind would respond to that?, the answer is, almost no one – but it only takes a handful of responses for the spammers to think their campaign was worthwhile.

Last year researchers from UC Berkeley and UC San Diego infiltrated a spam network and took over a portion of the network, diverting the spam sent out by over 75,000 hijacked computers (out of more than a million in the entire spam network). They set up a fake pharmacy web site, similar to the ones operated by the spammers, and sent 350 million spam messages in about a month inviting people to buy drugs online.

They only got 28 responses in a month from people who pushed the button to make a purchase. The researchers are good guys, so they didn’t capture the credit card details or take any money, but they measured how much they would have made, about $2,700.

The interesting part happens if you scale that up to the size of the full spam network, where the same miniscule rate of return would net $9,500/day or about $3.5 million dollars in a year. That’s not a huge amount but it’s probably sufficient to earn a profit after subtracting the cost of developing the code to exploit security holes and hijack computers, and to run servers worldwide to sell Viagra and process credit card payments.

Meanwhile, the researchers saw 10% of recipients clicking on a link to download and install the malware that hijacks computers and turns them into bots sending out those spam messages night and day. Ten percent! The researchers estimate that would allow the spammers to add between 3,500 and 8,500 new hijacked computers every day.

Here’s a Washington Post article about the UC study, and here’s another summary from the BBC.

Meanwhile, security analyst Jesper Johansson wrote a followup to his study of “XP Antivirus,” one of the prevalent bits of malware circulating now. Here are my notes about his study. In this scam, you are led to a web site that puts up a very convincing display about viruses on your computer that need to be cleaned off, with details that make the process look genuine and convincing. Almost any click anywhere on the screen leads you to a request for a credit card payment, and one wrong move will install popup bubbles and screens that insistently take you back to the payment demands. Most variations of this malware are not destructive but I’ve seen it several times and the bubbles are incredibly annoying, making it almost impossible to use your computer until deep surgery is done to remove the offending files. Some variations of the this adware can be removed with a reasonable amount of effort, but some come along with the kind of malware that can only be dealt with by reformatting the hard drive. If you pay the fifty bucks, you’ll get some software that claims to have successfully removed the infected files, but the infection was fictitious and the software doesn’t do anything.

Recently a hacker broke into an accounting computer run by one of the scammers responsible for distributing XP Antivirus and posted some internal accounting details online. There’s a lot of money at stake! Believe it or not, the software is distributed through an affiliate program that pays a significant portion of the sale proceeds to affiliates spreading the malware. The most successful affiliate earned $158,00 in a week, and even the small-time affiliates were making hundreds of thousands of dollars a year. Here’s an article about the financial details.

I’ve cleaned up several computers recently with XP Antivirus and other bits of malware. At the risk of being a nag, let me reiterate:

Antivirus software will not always protect you against malware if you click OK at the wrong time!

Don’t click on strange URLs! Follow links with carefree abandon to and from legitimate sites, but don’t click on links that arrive in spam e-mail, instant messages, web forums, or IRC chats, or that start from an untrustworthy web site.

Never, never, never open email attachments unless you know with 100% certainty that the attachment is something you expected and want to receive.

The bad guys are liars. They will say anything to get past your defenses, without conscience or remorse.

Please, be careful out there!