More spammers now selling semi-real stuff
CORRECTION JUNE 16: An alert reader pointed out that we are now among those who have botched the reporting on some of Google's findings about malware. An original version of this post from June 11 said that more than 1% of the first listings link to dangerous pages. In fact, it's more than 1% of all search results. The "I'm Feeling Lucky" button can be hijacked, other researchers say, but that's a separate issue.
We reported this morning on a new study by Cisco Systems' IronPort mail-security unit. (IronPort security researcher Patrick Peterson, at left.) The final version of the paper is now available, although you have to register before you can download it. The document is a deep dive into one of the most effective Trojan horses of all time, known as Storm.
The most interesting part isn't the technology, although that's quite impressive. And certainly other spam operations have by now captured more computers in unwitting homes and offices to turn them into spam-spewing zombies.
What's most interesting is the convincing link between Storm and a thriving real business, albeit one devoted to manufacturing imitations of branded pharmaceuticals. It's not that the Eastern European author or authors of Storm suddenly wanted to go legit. But they realized that the best way to make money from spamming was to have merchant credit card accounts, which means they can't simply rip off all of their customers.
So voila: When you order the drugs, you usually get roughly the right amount of the active ingredient. Though we don't recommend trying that.
Two other tidbits from the report: The bad guys have defeated the CAPTCHA system: the muddled letters and numbers that, in theory, only humans can decipher in order to open e-mail accounts.
And they have also gotten slick enough at search-engine optimization that more than 1 in 100 of the links returned to users in Google search results contained malware. So before you click on Google's "I'm feeling lucky" button, please consider whether you really mean it.
-- Joseph Menn