An interesting paper was presented last week at the Virus Bulletin conference which gives an insight into spam affiliate programs. In particular, it highlighted the notorious ‘Canadian Pharmacy’ brand as being one of the oldest and largest programs around.
Affiliate programs are how most spammers make money. Once a member of an affiliate program, spammers are given links or page templates to create their own web page to which they use spam to drive potential customers to. The spammers make a commission on each sale. Often affiliate programs have several different 'brands' from which members can choose to promote, for example, Canadian Pharmacy is just one of the brands created by the GlavMed organization.
For anyone monitoring spam, it is obvious that Canadian Pharmacy spam is the most widely spammed program. In our last Security Labs report in July we mentioned Canadian Pharmacy accounted for as much as 50 percent of spam. At M86 Security Labs, we have been doing more research into spam affiliate programs over the last few months.
Below is a chart showing the amount of spam received promoting each affiliate program or their brands. The chart data derives from a random sample taken over the last 48 hours. The results are broadly representative of what we typically have been seeing each day over the last several weeks.
As you can see, Canadian Pharmacy at between 60-70 percent is by far the most spammed program. Many of the top spam botnets, including Bobax, Gheg, Grum, MegaD, Pushdo, Rustock and Xarvester are currently sending spam with links to Canadian Pharmacy websites.
The IRS Scam category is not an affiliate program but a large campaign of malicious emails sent by the Pushdo botnet. As it is responsible for a rather large portion of spam we thought it fit to compare it to existing affiliate programs.
The overwhelming dominance of Canadian Pharmacy suggests tackling the underlying affiliate progams is one way to hamper spammer’s efforts. Although, as we saw last October when the US FTC took action against the SanCash (AKA GenBucks) affiliate program, the botnets were quick to find substitute affiliate programs.
