Click Trajectories: End-to-End Analysis of the spam value chain Kirill Levchenko, Andreas Pitsillidis, Neha Chachra, Brandon Enright, Tristan Halvorson, Chris Kanich, He Liu, Damon McCoy, Geoffrey M. Voelker, Stefan Savage Dept. of CSEE University of California, San Diego M. Felegyhazi Budapest University of Technology and Economics Chris Grier Dept. of CSEE University of California, Berkeley Christian Kreibich, Nicholas Weaver, Vern Paxson International Computer Science Institute Berkeley, CA Presented by Xinruo Zhang 04/04/2012

Outline Introduction Implementation Analysis for a particular example Data collection method Contribution Weakness & improvement

Introduction Spam-based advertising to us ◦ Think of it merely as junk that jamming inbox To spammer ◦ Think it is a multi-million business Spam value chain (aka Spam ecosystem) ◦ botnet, domain, name server, web server, hosting or proxy service acquired

Introduction (cont’d) Three categories of spam-advertised products ◦ Illegal pharmaceuticals, replica luxury goods and counterfeit software ◦ Nearly 95% of spam-advertised s contains these three popular products

Implementation How modern spam works? ◦ Advertising, Click Support and Realization Advertising ◦ Includes all activities focused on attracting potential customers to pay attention to what the spammers want to sell ◦ The most evolved part of the spam ecosystem, particularly, the delivery of spam

Implementation Click Support ◦ In this stage, having delivered their advertisement, a spammer entice the receiver into clicking an embedded URL with their best effort. ◦ Redirection sites, Domains, Name servers, Webs servers, and affiliate programs

Implementation Click Support ◦ Redirection sites: redirect to additional URLs. Because some spammers directly advertise a URL embedded in and thus they would encounter various of defensive measures to interfere their activities.

Implementation Click Support ◦ Domain: typically, a spammer may purchase domains directly from a registrar, however, in real life, they frequently purchase from reseller. ◦ Name server: any registered domain in turn have supporting name server infrastructure. Get infrastructure either by themselves or by third party.

Implementation Click Support ◦ Stores and Affiliate programs  Today spammers work as affiliates of an online store, earns a commission  The affiliate program provides all technique and materials  Furthermore, affiliate programs even take responsibility for payment and fulfillment service

Implementation Realization ◦ have brought the customers to an advertised site, the seller realizes the latent value by acquiring the customer’s payment ◦ it contains two processes: Payment service and Fulfillment service

Implementation Payment service ◦ Standard credit card payment  In order to get the most value ◦ Issuing bank  Customer’s bank ◦ Acquiring bank  Merchant’s bank ◦ Card association network  Visa or MasterCard

Implementation Fulfillment ◦ Fulfill an order in return for customer’s payment ◦ Shipping issue  Suppliers will offer direct shipping service so affiliate program can avoid warehousing  Virtual products can be got via internet download

Practical Example

Data Collection Method

Contribution Lack a solid understanding of the spam- based enterprise’s full structure before And most anti-spam interventions focus on only one facet of the overall spam value chain authors present a whole analysis for spam ecosystem with large-scale practical study

Weakness & Improvement lack of legal and ethical concerns ◦ For some issue concerns the ethics of any implicit harm caused by criminal supplier only have one medium – spam ◦ Consider twitter spam, other social network spam