click trajectories: end-to-end analysis of the spam value chain

Click Trajectories: End-to-Click Trajectories: End-to-End Analysis of the spam End Analysis of the spam value chainvalue chain

Kirill Levchenko , Andreas Pitsillidis , Neha Chachra , Brandon Enright , Tristan Halvorson , Chris Kanich , He Liu , Damon McCoy , Geoffrey M. Voelker , Stefan Savage Dept. of CSEE University of California, San Diego

M. Felegyhazi Budapest University of Technology and Economics

Chris Grier Dept. of CSEE University of California, Berkeley

Christian Kreibich , Nicholas Weaver , Vern Paxson

International Computer Science Institute Berkeley , CA

Presented by Xinruo Zhang 04/04/2012

Outline Outline

IntroductionImplementationAnalysis for a particular exampleData collection methodContributionWeakness & improvement

IntroductionIntroduction

Spam-based advertising to us◦Think of it merely as junk that jamming

inboxTo spammer

◦Think it is a multi-million businessSpam value chain (aka Spam

ecosystem)◦botnet, domain, name server, web

server, hosting or proxy service acquired

Introduction (cont’d)Introduction (cont’d)

Three categories of spam-advertised products◦Illegal pharmaceuticals, replica

luxury goods and counterfeit software

◦Nearly 95% of spam-advertised emails contains these three popular products

ImplementationImplementation

How modern spam works?◦Advertising, Click Support and Realization

Advertising◦Includes all activities focused on attracting

potential customers to pay attention to what the spammers want to sell

◦The most evolved part of the spam ecosystem, particularly, the delivery of email spam

ImplementationImplementation

Click Support◦In this stage, having delivered their

advertisement, a spammer entice the receiver into clicking an embedded URL with their best effort.

◦Redirection sites, Domains, Name servers, Webs servers, and affiliate programs

ImplementationImplementation

Click Support◦Redirection sites: redirect to

additional URLs. Because some spammers directly advertise a URL embedded in email and thus they would encounter various of defensive measures to interfere their activities.

ImplementationImplementation

Click Support◦Domain: typically, a spammer may

purchase domains directly from a registrar, however, in real life, they frequently purchase from reseller.

◦Name server: any registered domain in turn have supporting name server infrastructure. Get infrastructure either by themselves or by third party.

ImplementationImplementation

Click Support◦Stores and Affiliate programs

Today spammers work as affiliates of an online store, earns a commission

The affiliate program provides all technique and materials

Furthermore, affiliate programs even take responsibility for payment and fulfillment service

ImplementationImplementation

Realization◦have brought the customers to an

advertised site, the seller realizes the latent value by acquiring the customer’s payment

◦it contains two processes: Payment service and Fulfillment service

ImplementationImplementation

Payment service◦Standard credit card payment

In order to get the most value ◦Issuing bank

Customer’s bank◦Acquiring bank

Merchant’s bank◦Card association network

Visa or MasterCard

ImplementationImplementation

Fulfillment◦Fulfill an order in return for

customer’s payment◦Shipping issue

Suppliers will offer direct shipping service so affiliate program can avoid warehousing

Virtual products can be got via internet download

Practical ExamplePractical Example

Data Collection MethodData Collection Method

Data Collection MethodData Collection Method

ContributionContribution

Lack a solid understanding of the spam-based enterprise’s full structure before

And most anti-spam interventions focus on only one facet of the overall spam value chain

authors present a whole analysis for spam ecosystem with large-scale practical study

Weakness & ImprovementWeakness & Improvement

lack of legal and ethical concerns◦For some issue concerns the ethics

of any implicit harm caused by criminal supplier

only have one medium – email spam◦Consider twitter spam, other social

network spam