While doing some spam research a couple of years ago, we did a series of test purchases from spam e-mails.
We bought pills, software, cigarettes, et cetera. We were a bit surprised that almost all of the orders went through and actually delivered goods. Sure, the Windows CD we got was a poor clone and the Rolex was obviously fake, but at least they sent us something.
We were carefully watching the credit card accounts we created for our tests but we never saw any fraudulent use of them.
The most surprising outcome from this test was that we didn't see more spam to the e-mail addresses we used to order the goods.
Our findings were reinforced today by an excellent new study published by University of California researchers (with an impressive list of authors).
The researchers not only did test purchases from spam, they also tracked down the botnets used to send the e-mails, the hosting systems to host the spam sites and the banks that moved the money.
One of the most interesting details in the study is this: almost all spam sales worldwide are handled by just three banks.
The banks? They were:
• DnB NOR (a Norwegian bank) • St. Kitts-Nevis-Anguilla National Bank (in the Caribbean) • Azerigazbank (from Azerbaijan)
We have to remember that spam is actually very profitable for the banks and credit card companies that move the money. That might affect how likely they are to actually do something about this.