95% of spam sales serviced by just three banks

According to a research paper due to be presented at the IEEE Symposium on Security and Privacy 2011 in California next week - entitled `End-to-End Analysis of the Spam Value Chain,' and attributed to a cluster of universities in the US and Budapest - as an advertising medium, spam ultimately shares the underlying business model of all advertising.

"So long as the revenue driven by spam campaigns exceeds their cost, spam remains a profitable enterprise", says the report, adding that this simple description belies the complexity of the modern spam business.

"While a decade ago spammers might have handled virtually all aspects of the business including email distribution, site design, hosting, payment processing, fulfilment, and customer service, today's spam business involves a range of players and service providers", notes the study.

The banking component of the spam value chain, notes the report, is both the least studied and, the researchers believe, the most critical.

"Without an effective mechanism to transfer consumer payments, it would be difficult to finance the rest of the spam ecosystem. Moreover, there are only two networks - Visa and Mastercard - that have the consumer footprint in Western countries to reach spam' principal customers", says the report.

"Without the thousands of banks, the number who are willing to knowingly process what the industry calls `high-risk' transactions is far smaller", it adds.

The three banks singled out in the report are Azerigazbank in Azerbaijan, DnB NOR of Latvia and the St. Kitts-Nevis-Anguilla National Bank in the Caribbean.

Whilst stopping short of pointing any accusing fingers at the banks, the report suggests that targeting the payment infrastructure - presumably by the authorities - may be the best option to curtail the volumes of spam being generated.

"We note that a... similar action has already occurred in restricting US issuers from settling certain kinds of online gambling transactions", says the report.

What’s Hot on Infosecurity Magazine?