Consumer demand for cheap prescription drugs sold through spam-advertised Web sites shows no sign of abating, according to a new analysis of bookkeeping records maintained by three of the world’s largest rogue pharmacy operations.
Researchers at the University of California, San Diego, the International Computer Science Institute and George Mason University examined caches of data tracking the day-to-day finances of GlavMed, SpamIt, and Rx-Promotion, shadowy affiliate programs that over a four-year period processed more than $170 million worth of orders from customers seeking cheaper, more accessible and more discretely available drugs. The result is perhaps the most detailed analysis yet of the business case for the malicious software and spam epidemics that persist to this day.
Their conclusion? Spam — and all of its attendant ills — will remain a prevalent and pestilent problem because consumer demand for the products most frequently advertised through junk email remains constant.
“The market for spam-advertised drugs is not even close to being saturated,” said Stefan Savage, a lead researcher in the study, due to be presented early next month at the 21st USENIX security conference in Bellevue, Wash. “The number of new customers these programs got each day explains why people spam: Because sending spam to everyone on the planet gets you new customers on an ongoing basis, so it’s not going away.”
The researchers found that repeat customers are critical to making any rogue pharmacy business profitable. Repeat orders constituted 27% and 38% of average program revenue for GlavMed and SpamIt, respectively; for Rx-Promotion, revenue from repeat orders was between 9% and 23% of overall revenue.
“This says a number of things, and one is that a lot of people who bought from these programs were satisfied,” Savage said. “Maybe the drugs they bought had a great placebo effect, but my guess is these are satisfied customers and they came back because of that.”
Whether the placebo effect is something that often applies with the consumption of erectile dysfunction drugs is not covered in this research paper, but ED drugs were by far the largest category of pills ordered by customers of all three pharmacy programs.
One interesting pattern that trickled out of the Rx-Promotion data underscores what made this pharmacy affiliate unique and popular among repeat buyers: A major portion of its revenues was generated through the sale of drugs that have a high potential for abuse and are thus tightly controlled in the United States, including opiates and painkillers like Oxycodone, Hydrocodone, and mental health pills such as Adderall and Ritalin. The researchers noticed that although pills in this class of drugs — known as Schedule II in U.S. drug control parlance — comprised just 14 percent of orders for Rx-Promotion, they accounted for nearly a third of program revenue, with the Schedule II opiates accounting for a quarter of revenue.
“The fact that such drugs are over-represented in repeat orders as well (roughly 50 percent more prevalent in both Rx-Promotion and, for drugs like Soma and Tramadol, in SpamIt) reinforces the hypothesis that abuse may be a substantial driver for this component of demand,” the researchers wrote.
THE PARTNERKA ECONOMY
The study also seeks to explain the revenue model behind these pharmacy affiliate partnerships — often referred to in Russian as “partnerkas.” In a typical partnerka, the program sponsors handle everything from purchasing pill site domains and arranging hosting, to procuring the pills, credit card processing, managing shipment and customer support. The sole role of the affiliates or spammers is to undertake the somewhat riskier job of figuring out ways to drive tons of traffic to the pill sites.
And for this, the affiliates are rewarded handsomely. The researchers observed that affiliate commissions ate up between 30 to 40 percent of revenue for all three programs. Interestingly, the researchers found that while each program employed hundreds of affiliates, most of the affiliates earned next to nothing. Rather, just ten percent of the highest-earning affiliates accounted for 75-90% of total program revenue across the three affiliate programs.
“This is the brilliance of the affiliate program model, because you let every schmuck come in and try to do their thing, and you don’t care whether they succeed because you pay them only on a commission basis,” Savage said. “So all affiliate programs want to get the good affiliates, but the problem is they may not know who’s good ahead of time, so you let lots of people in, but most of the affiliates are just wasting their time.”
As it happens, nearly all of the top earners for SpamIt and Rx-Promotion have already been profiled in previous stories on this blog: They are the affiliates thought to be responsible for running the world’s largest spam botnets, including Cutwail, Rustock, Waledac, Mega-D, Srizbi, and Grum. I hope to have an analysis of the Xarvester botnet author ready soon.
So how much did the affiliate program sponsors themselves make? After paying affiliates (30-40%), suppliers (~7% of gross revenue), for shipping (a loss leader, it turns out, at between 11% and 12%), credit card processing (10%) and a host of other direct and indirect costs, the sponsors made a net profit of about 20% of gross revenue.
“Clearly these affiliate programs are profitable, but they are operating a business enterprise,” the researchers wrote. “Their profit is still only a fraction of the overall revenue.”
As detailed in my Pharma Wars series, the volume of spam worldwide has fallen dramatically since late 2010, when an escalating turf war between the Russian businessmen behind Rx-Promotion and sister programs SpamIt and GlavMed forced these businesses to close up shop. Alert readers will notice that my name also is listed as a co-author to this research paper, although in truth my principal contribution to the project was the donation of the Rx-Promotion, GlavMed and SpamIt databases that had fallen into my lap as a result of the aforementioned turf war. I am currently spending quite a bit of my time working on a book about the epic rise and fall of these rogue pharmacy affiliate operations.
While the overall volume of email that is spam recently fell to historic lows, that ratio been steadily creeping back up since April, according to Symantec. It will be interesting to see if this trend continues as other affiliate programs compete to meet customer demand and lay claim to the market shares once held by the likes of GlavMed, Rx-Promotion and SpamIt.
A copy of the Pharmaleaks paper is available here (PDF).
Tags: 21st USENIX Security Conference, Cutwail, Glavmed, Grum, International Computer Science Institute, Mega-D, partnerka, Pharma Wars, Rustock, Rx-Promotion, Spamit, Srizbi, Stefan Savage, University of California San Diego, waledac, Xarvester