Malicious Spam: The Impact of Prosecuting Spammers on Fraud and Malware Contained in Spam Alex Kigerl, PhD Washington State University

Introduction Spam has grown since its inception, making up 70% of all internet traffic today CAN SPAM Act created in 2004 to regulate spam Prior research of the CAN SPAM Act suggests a deterrent effect of spam rates and some types of compliance However, it is not known the effect of prosecuting spammers on more serious forms of cybercrime contained in spam, such as malware and fraud

Fraud and Malware in Spam Malware in spam – A quarter of URLs in spam link to malware – A quarter of malicious URLs are hosted in U.S. servers – All other countries are just 3% or less – A third of malware victimizations result in financial loss Fraud in spam – Humans are the weakest link – Phishing: Steal credential goods; advance fee fraud: Confidence trick – U.S. is targeted by phishing the most, 60% of worldwide phishing volumes

The CAN SPAM Act CAN SPAM Act passed and went into enforcement in January 1, 2004 Regulates spam, doesn’t criminalize it- – Forbids falsified headers – Requires meaningful subject field – Include valid physical postal address – Provide opt-out mechanism

Evaluations of the CAN SPAM Act Impact of the Act on spam rates – Fines ineffective. Spammers can make good money – Short incarceration periods have emboldening effect – Longer incarceration periods decrease spam rates Impact of the Act on spam compliance – Increases compliance with Act regulations unrelated to header forgery – Increases noncompliance with header forgery – Header forgery might be a precaution against being caught

The Present Study Sample: 5,490,905 spam messages received beween 3/1998 and 11/2013 in honeynet accounts The sample was processed via a software program and coded into 3 variables The variables were then aggregated into monthly time series data of 189 observations (months)

The Spam Sample

DVs: Fraudulent Spam Average probability a message is fraudulent per month Coded via a spam filter using a Naïve Bayes classifier Spam filter trained using a sample of 2,339 fraudulent messages and 1,000 non-fraudulent spam messages to distinguish the 2 categories Cross validated using AUC. AUC =.83

DVs: Malware in Spam Two measures representing the percent of messages distributing malware per month Executable download link – Software extracts URLs from messages and identifies if the URL is a direct download of a file – If the file extension is for an executable file, the message is coded as malicious – e.g. Embedded scripts – Identifies any script tags anywhere in the , of the form – Executable code contained in unsolicited spam is usually malicious

IVs: CAN SPAM Act Activity Code LexisNexis search articles on the CAN SPAM Act on different dimensions CAN SPAM Act enforcement: Number of prosecutions, arrests, convictions, and damages awarded per month Number of articles critical of the CAN SPAM Act Articles attributing spam to individual spammer

CVs: Technological, Economic, and Demographic Predictors Time series data acquired from various sources Technological: Internet users per capita, number of tech jobs, Wilshire Internet Market index Economic: Real disposable personal income per capita, GDP growth rate, unemployment Demographic: Population size, percent Crime: Arrest rates from UCR

Analysis 3 time series regression models Variables selected for each model using AIC backward stepwise elimination starting with 31 variables Final models using time series GLS to control for serial correlation

Results: Malicious Links in Spam MeasureB (Malicious Links) Unemployment rate.072 Count of spammers arrested-.128† Count of trial ongoing articles.165† Count of damages awarded articles-.205* Percent of articles with spammer attribution.13** * <.05, ** <.01, *** <.001, † <.1 Fines appear to be effective in lowering malicious links, contrary to prior research on spam rates Spammer attribution significant, but in a direction opposite of that predicted

Results: Malicious Scripts in Spam MeasureB (Malicious Scripts) Percent internet users-.088† Percent population aged ** Count of CAN SPAM articles-.144* Count of spammer detained articles.067 Percent of articles without spammer attribution.071* * <.05, ** <.01, *** <.001, † <.1 Internet use marginally associated with lower malicious scripts, consistent with prior studies More articles on the CAN SPAM Act predicts decreased malicious scripts

Results: Fraudulent Spam MeasureB (Fraudulent Spam) UCR arrest rate.107*** Percent internet users-.137** Unemployment rate-.116*** Technology jobs-.072*** Population aged * Consumer price index-.06* Count of trial spammer acquitted articles.059 Percent of articles negative about CAN SPAM-.007 Percent of articles without spammer attribution.006 * <.05, ** <.01, *** <.001, † <.1 No measures of deterrence (e.g. CAN SPAM Act) significant. Instead economic predictors highly significant Fraud rates positively correlated with UCR street crime rates Again internet users predicts less crime (spam fraud in this case)

Discussion: Possible Implications of Findings Findings suggest the CAN SPAM Act might have an impact on malware, but not fraud – Spammers in the U.S. may be less likely to rely on fraud and more on malware – Fraud might originate from other countries (Nigeria, Russia) CAN SPAM Act activity consistent in leading to lower malware – No evidence of marginal deterrence, increasing malware due to less serious offenders being deterred Attribution not consistent for malware: Increases links, decreases scripts

Discussion Continued Limitations – Spam sample skewed towards web crawler harvester bot method for collecting lists – Limited measures of malware, many false negatives – Recommend blacklist of malicious URLs or machine learning to identify malware in future research Future research: Investigate the impact of prosecuting malware writers and fraudsters on these measures, rather than just spammers

Questions