How spammers make their money
According to a US Treasury advisor, global cybercrime already in 2004 turned over more money than drug trafficking.
Since then the major global malware epidemic has been putting greater wealth into the hands of criminals than ever
before, and security experts have warned that organised crime syndicates have taken over much of the creation and
exploitation of malware in circulation today. But how do they make their money and how much?
Spammers
Spammers send out millions of messages on behalf of online merchants who want to sell a product. If a spam recipient buys something, the spammer gets a percentage of the sale. For pharmaceuticals the commission can be as high as 50 percent, and research has shown that the response rate can be rather high. A good example is "penis related spam" which has a 5 percent click rate, meaning that 5 percent of the recipients actually open the spam mail and click on the link in the mail.
This means that spammers can make a massive amount of money. In July 2007, a retired spammer told PC World that at the peak of his power he pulled in $10,000 to $15,000 a week sending e-mails that promoted pills, porn and casinos.
Botnet operators
Spam is usually sent from a network of hacker-controlled computers, so-called botnets. Those machines are often consumer PCs infected with malicious software that a hacker can control. Groups of hacker specialize in creating botnets and then make money renting the botnets to spammers by the hour. In known examples, the going rate for botnets has been $300 to $700 per hour.
Botnets are frequently used for so-called denial of service (DoS) attacks where hackers demand money to stop bombarding a specific Web site with requests, making the Web site unavailable to its intended users. In the second half of 2006, an average of 5,213 DoS attacks were recorded per day. The US was the target of most DoS attacks accounting for 52 percent of the worldwide total.
Experts detected more than 6 million distinct bot-infected computers worldwide during the second half of 2006, representing a 29 percent increase from the previous period.
Phishers / Identity thieves
One of the biggest sources of income for cybercriminals is phishing. In the second half of 2006, 166,248 unique phishing mails were detected. That's an average of 904 new phishing mails per day. In April 2007 the Anti-Phishing Working Group detected 55,643 new phishing sites while 11,121 phishing sites were detected in April 2006.
According to experts, 3.5 million Americans were fooled into submitting personal information to phishers in 2006. That is an increase of 84 percent from the year before. According to PC World, the victims were relieved of $2.8 billion.
The Swedish bank Nordea suffered one of the biggest publicly known phishing frauds in history. Over 8 million kronor ($1,200,000) disappeared in three months as a result of a tailor-made attack launched by Russian criminals. Reports indicated that 250 customers had become victims.
Phishers do not necessarily use the information they collect themselves. According to a report released in March 2007, identity thieves are offering a person's credit-card number, date of birth and other sensitive information for as little as $14 over the Internet.
