India tops list of spam e-mail spewers
A few years ago, Ankur Suri saw a friend beaten up by fellow classmates after he e-mailed pornography to female friends - or rather, his computer had.
In desperation, the friend went to authorities, who declined to investigate because they didn't really understand the problem of how his computer had been infected by malicious spam.
"I'd rather go to Google or Facebook than deal with the Indian law," said Suri, 25.
India recently notched a dubious distinction, beating the U.S. to become the leading spewer of spam e-mail, according to the British Internet security firm Sophos Ltd. Nearly 10 percent of such e-mails is now sent from Indian computers, up from 7 percent in 2010, and many of the spammers don't even realize they're doing it.
"This is one record India doesn't want so much," said Sanjay Katkar, chief technology officer with Quick Heal, a security firm.
India is virgin territory for spam spewers as the country's burgeoning economy, improved broadband and rapidly expanding middle class add an estimated 7 million computer users a month, many inexperienced and using pirated software or old operating systems.
These Indians aren't just potential victims. As a certain percentage of newbies click on questionable email attachments or links to dodgy websites, Internet criminals next door or thousands of miles away take remote control of their systems, turning their machines into what Sophos calls "spam-spewing zombies" and what geeks call a "bot," short for Web robot.
Ruchika Shishodia, 29, a public relations employee who lives in Gurgaon, outside New Delhi, said she sometimes uses pirated software and often notices her system slowing to a crawl for no obvious reason. She isn't particularly worried that it might have morphed into a bot, but is irked by a deluge of junk mail, especially those offering penis enlargement services or touting dubious financial offers.
"Only a moron would fall for most of these," she said. "If I fell for anything, I'd probably go for the 'Make money while sitting at home' pitches."
Ankit Fadia, a "legal hacker" who tests corporate and government networks for weaknesses on a contract basis, estimates that half of the India-generated spam is created in the country by willing spammers, with the rest originating elsewhere and routed through Indian bots. Tracking it back through a string of zombies in various nations is difficult.
"While the spam originates from a location in India, it's very difficult to find where the actual fingers on the keyboard are," said Shantanu Ghosh, Symantec's managing director in India.
A host of companies in India handles "digital marketing" for local and foreign clients, using unsolicited e-mails to target website and cellphone users. At Brainpulse Technologies' bare-bones offices outside Delhi, dozens of twentysomethings at cheap wooden desks in dented cubicles design Web pages and mass marketing campaigns for foreign clients. A company selling point: Our unsolicited bulk mail campaigns are well crafted, allowing them to sneak past most e-mail filters.
"If the e-mails reach your inbox, it's e-mail marketing; if not, it ends up in your spam folder," said Vishwajeet Bhattcharya, the company's senior business development manager. "I don't know spammers. We work legally."
Although most spam these days comes from zombie computers in Asia and Latin America, its preferred targets are users in the U.S. and Europe, where incomes are relatively high and credit card use widespread.
Once an Indian computer is corrupted, it may be linked with hundreds, even thousands, of bots in what is known as a "botnet," controlled by a "bot herder." Botnets can be exploited directly. Alternately, they can be leased or sold to scammers who use the zombie computers to spew junk mail, which includes relatively benign ads for fake designer bags and Rolex watches, hoaxes, financial scams and identity theft and "phishing" emails that solicit bank or credit card details.
The cost of leasing a network of 100 bots capable of generating 500 to 1,000 e-mails per minute is about $2,000 a month. Buying a few hundred might cost $1 apiece, the Moscow-based Internet security firm Kaspersky Lab said, noting that a botnet with 100,000 zombie computers sold a few years ago for $36,000.
Although malicious e-mails account for only 4 percent to 5 percent of spam, their numbers are growing exponentially because they're so profitable.
"Spam is becoming increasingly malicious," said Graham Cluley, Sophos' senior technology consultant. "They recognize that the best way to monetize isn't necessarily by offering fake Viagra or false degrees."
India's weak laws and poor enforcement also create fertile ground for spammers, some said. The U.S. and Europe have prosecuted several kingpins, including "spam king" Robert Soloway, who pleaded guilty in 2008 to fraud, spamming and tax evasion charges, but India hasn't had a single conviction for generating spam. Nor is it even considered a violation under India's Information Technology Act of 2000.
This past week, a major spammer and botnet known as Grum, using "command and control servers" in Russia, Panama, Ukraine and the Netherlands, was taken down by Internet firms and online security companies. By some estimates, Grum generated 18 billion junk and malware e-mails a day, accounting for anywhere from 15 percent to 35 percent of the world's spam using a worldwide network of up to 120,000 infected computers.
Over time, spam is becoming more targeted, as are other forms of Internet marketing. And many have a cultural component, including solicitations in India tied to cricket matches, Bollywood stars, fake training institutes, matrimonial help and weight loss through ayurvedic techniques, Indian traditional medicine. They've also been getting more professional, experts said, moving beyond the traditional typo-laden Nigerian scams of yore.
As spam and its spinoffs become increasingly lucrative, the business is being taken over by sophisticated foreign crime syndicates that add it to their portfolio of drugs, prostitution and loan sharking, said Ghosh, with technically ignorant mob bosses hiring the geeks required. Symantec estimates that the profits from online scams are equal to the global illegal drugs trade of two years ago and growing.
When Shishodia sits down with a cup of coffee and her tablet computer to check her e-mail, she finds several e-mails telling her she's just won the lottery or offering to find her the perfect husband with the right looks, income and caste profile.
"What a pain to keep getting these," she said. "I am already married, so getting these is frustrating on a completely different level!"
(c)2012 Los Angeles Times
Distributed by MCT Information Services