Make Wade over at the CA Security Advisor Blog decided to find out what happens when you buy from a spammer.
Our journey begins outside of Washington, DC. I am sitting at my desk, going through my SPAM filtered email, when I see one that catches my eye, “Dreams can cost less repl1ca w4tches from r0lex here”. Sounds interesting I thought, and I could use a new watch. Knowing the harmful effects of opening unsolicited email, I decided to open the email in a controlled virtualized environment.
It seems that the spam most likely originated in a small church in Washington State, probably from a malware-infected computer used by Cheryl Neff, the assistant to the senior pastor. Mark followed the link in the email to a professional-looking, but temporary, website. Using a credit card opened specifically for the experiment, he then purchased a set of earrings for $77 including postage and handling.
Mark followed the money, from websites in China and Korea, through a series of shell companies starting in Las Vegas, and finally ending up in Cyprus where the money was collected. Surprisingly, the earrings may have been shipped from China, but if they were, they got lost in the mail, because the parcel never arrived.
I'm fascinated by the fact that spammers can actually find any buyers at all. Economists will often talk about trust issues. For example, banks tend -- or at least they used to, before the economic rationalists moved in -- to go for big, imposing, expensive buildings, with high ceilings and marble floors and Grecian columns as far as the eye could see. The more risky the industry, the more important to convince people that you are trustworthy by showing commitment. "You can trust us not to take your money and run, because we've invested a lot in this business and we won't be going anywhere for a long time". And yet this seems to go right out the window when it comes to on-line purchases, at least for those who buy from spammers. Most spam websites are active for only a few weeks, before they are close down and re-open under a new name. But there seems to be an never-ending stream of buyers.
It's tempting -- oh, so very, very tempting -- to just put it down to pure, unadulterated stupidity. But that's a simplistic answer. Many buyers are hardly stupid: they have good white-collar jobs, educations, can walk and chew gum at the same time.
So what's going on? Is it that buyers are so naive that they can't recognise that they're being scammed? Is spam just the 21st century version of the old con of selling the Brooklyn Bridge to some country bumpkin, still with hayseed in his hair, visiting the big city for the first time?
I think there's more to it than that. For various reasons (advertising, welfare, the legions of pop-psychology books...), we live in a society that encourages a sense of wishful thinking, that wanting something to be real makes it real. Not that Homo sap needs much encouragement to wishful thinking and delusion. Rather than "if it seems to good to be true, it probably is", too many people act as if "if it seems too good to be true, it will be true anyway just because you deserve it".
Add to that the widespread use of credit cards, which encourages people to act as if money didn't matter even when it does, at least until all five of your cards are maxed out. Since you're not really paying for the goods, the credit card is, the risk is minimal -- or so seems to be the perception.
But one thing that doesn't make any sense to me at all is that people can take seriously any advertising written as shoddily as "repl1ca w4tches from r0lex here". This is worse than Greengrocer's Apostrophe; worse than VCR instructions translated into English from Chinese by a Korean. Not only does it look careless and incompetent, it is a deliberate attempt to bypass software that filters out spam. That screams "Deceit!". Why would anyone choose to buy from somebody who as good as says "Hey, I'm lying to you right now"?