Bulk discounts for spam
Researchers at antivirus vendor Gdata have investigated the current pricing for shipments of spam by bot-net operators. Sending out spam is a lucrative business for criminals, who are now able to offer their clients high volume spam shipments at low prices.
It apparently costs only 350 euros to send out 20 million advertising e-mails. 5 million e-mail addresses and a do-it-yourself kit can reportedly be had for a mere 140 euros, allowing advertisers to create and dispatch spam themselves. Providers of such services are increasingly offering combined packages: a 10-minute distributed denial of service (DDoS) attack comes free of charge with a spam package, with longer attacks on the servers of competitors starting at around 14 euros (20 US dollars) per hour or around 70 euros (100 US dollars) per day.
E-mail addresses are also dirt cheap. Gdata found that 10 million addresses only cost 100 euros. The most expensive package being offered consists of access credentials for the "World of Warcraft" online game at 6 euros per item. By contrast, a set of credit card data can be had for three euros.
It seems like the storm worm botnet will be rented out in this manner. In his blog at security firm SecureWorks, Joe Stewart says that new variants of the contaminant use encrypted communication, which allows the net to be segmented into smaller subnetworks. Botnet operators can sell these to other spammers – including fast flux DNS and hosting (see the article Modern Hydra at heise Security).
No end to the spam flood is in sight. Sales are too lucrative for the creators of contaminants. Gdata reckons that for an estimated 20 hours of work a month, operators of botnets can make 7000 euros from 20 mass e-mails.
- The Changing Storm, Joe Stewart's entry at the SecureWorks blog
- Storm worm botnet with over 1.7 million drones, report by heise Security
- Modern Hydra, article by heise Security