How SPAM appeared — the main booster of cybercrime

Today we want to tell you about spam — how it appeared, how attempts were made to combat it, and how this criminal industry developed. We will also discuss why spam became the driving force behind the development of cybercrime worldwide. And perhaps, without it, the modern world of cybersecurity wouldn't exist. But let's take it step by step!

❯ 1. Telegrams, Canned Goods, and Intrusive Advertising

Where did spam come from? There are two answers to this question because it contains two questions.

The first question concerns the first unsolicited advertising message. On May 31, 1864, a member of the British Parliament received an openly promotional telegram inviting him to visit a dentist at the following address: "Dr. Gabriel, Harley Street, 27, Cavendish Square. Dr. Gabriel's working hours are from 10 to 17." The recipient did not know this doctor and was not interested in his schedule. He was outraged at being disturbed and wrote about it in a newspaper.

Although he hoped that such incidents would not happen again, his actions only amplified the advertising effect for the doctor and indicated to other advertisers that it might be worth repeating this way of attracting attention.

The second question relates to the word "spam" itself. SPAM is an abbreviation that can mean "Shoulder of Pork and Ham" or "SPiced Ham." The exact decoding isn't specified, but it refers to canned meat products that have been sold since 1936 and continue to be sold to this day.

But what do canned goods have to do with this? It's simple: their advertising became so intrusive that the name of this product turned into a generic term.

During World War II, these canned goods were actively used as dry rations for the US Army and distributed by ration cards among the population of allied countries, including Lend-Lease supplies to the USSR. After the war, demand for them dropped significantly, as eating the same thing was not very pleasant. However, a lot of canned goods accumulated in warehouses, and the company that profited from the war invested heavily in their advertising.

The advertising was so aggressive that it appeared everywhere: on posters, billboards, radio, television, magazines, and newspapers. In 1969, the famous comedy group Monty Python mocked this advertising in their legendary sketch "SPAM," in which the word "SPAM" was used 108 times. Since then, any intrusive, unnecessary, and useless advertising has been called that.

By the way, in 2007, the canned goods manufacturer Hormel Foods tried to sue the software company Spam Arrest, which deals with spam (emails!), for using their name. However, the court sided with the anti-spam company, finally establishing the word "SPAM" as a common noun.

❯ 2. Calls and the first electronic spam, which spread from group chats to email

However, in addition to canned spam, people also faced other unpleasant phenomena in the early days of the internet. At that time, as in the pre-internet era, many were annoyed by telemarketing calls. This problem is still relevant today. Nowadays, many calls are made by robots, and usually to mobile phones. In the past, regular call center operators called both home and work phones. Potential customers did not like this, but such practice was and remains effective.

By 2003, the USA partially solved the problem of unwanted calls by creating the "National Do Not Call Registry". If you added your number to this registry, all legal telemarketing calls to it were prohibited. And meaningless, but we will talk about meaning later.

What about spam through digital channels?

The first known case occurred in 1978 when Gary Thuerk, a young aggressive marketing specialist at Digital Equipment Corporation, decided to send commercial advertising to all known email addresses on the west coast of the USA that were connected to an early version of the internet. His message was received by several hundred people, and although not everyone was thrilled with this mailing, it still brought the company about 14 million dollars in sales!

However, the first case of publicly condemned spam in chats occurred in 1994, when two lawyers from Arizona, Lawrence Canter and Martha Siegel, tried to impose their mediation services in the US visa lottery in Usenet discussion groups. Their service consisted only of sending documents by mail on behalf of "clients," but they planned to charge hundreds of dollars for it. And these "generous" offers were sent by the scam lawyers to all 6000 discussion groups!

This advertisement caused a really loud negative reaction. Spam recipients called and insulted them, sent useless junk mail to fill the mailbox they needed for work, and newspapers wrote exposé articles. But even in this case, judging by the information from the interviews, the scammers' scheme worked, and they earned about a hundred thousand dollars.

❯ 3. First thoughts on protection

The registry successfully coped with phone spam, but there was no solution for digital channels. It seemed like an obvious idea to create an email registry similar to the call registry. But fortunately, it was not implemented.

The key difference between phone and email spam lies in the costs. Phone calls at that time required labor costs for operators, so each call cost a certain amount. Companies engaged in telemarketing were interested in calling only those who showed interest in purchases. Calling from the registry would not only be unprofitable but would also cause negative reactions from customers. The higher the conversion rate of calls to purchases, the more profitable this type of advertising becomes.

In the case of email spam, the costs are minimal. Even if the conversion rate of emails to purchases is very low, for example, one purchase per 10,000 emails, sending them out by the millions will still be profitable. And having an email address in any registry can even make the situation worse: if the address is in the registry, it means it belongs to a real person. Therefore, spam would be sent to such a registry first. This is why an email registry was never created.

❯ 4. Effective Tactic — Counter Spam

In the early 2000s, Blue Security proposed an original and rather radical method of combating spam. Here's how they did it:

Imagine a company sent out promotional emails and is now waiting for responses to process the interested clients and close the deal. What if almost all clients respond? It would seem like a reason for joy. But no.

Blue Security offered their clients to install special software that would send a complaint in response to any spam messages. As a result, spam companies were forced to process thousands of automatic responses from the protective software to find the real responses from those genuinely interested in the advertisement. In fact, Blue Security responded to spam with spam!

By 2006, the company had about half a million clients who had installed their anti-spam solution. However, not all information security experts of that time supported such an aggressive tactic. Many noted that innocent companies could suffer due to inevitable false positives. Some pondered the ethics of this approach, while others believed it was the right thing to do.

❯ 5. Underestimating the Enemy and the Beginning of the War

However, by early 2006, the spam industry had become a big business, and Blue Security apparently did not take the enemy seriously. At that time, emails were already being tracked, and thousands of computers around the world were required for effective distribution. It was for the purpose of sending spam that the first botnets and trojans with remote access functions began to be created.

Spam allowed hacking to turn from a hobby into a profitable business. It was an easy way to monetize many hacked devices, and the process became massive.

Who paid for such advertising? Some of the main advertisers were sellers of illegal goods, especially uncertified and counterfeit mass-market goods: "branded" handbags, watches, and uncertified pharmaceuticals. One of the most popular products of that time was Viagra, produced in makeshift laboratories in India at a price hundreds of times lower than the pharmacy price. And even if you needed a prescription drug - please, just pay.

Spam networks were also used for phishing and fraud, but it was the "black pharmacies" that were always at the top, occupying leading positions.

In March 2006, many Blue Security customers received an alarming letter threatening to significantly increase the volume of spam if they did not stop using the product. The sender did not give his name, but many sources claimed that it was a spammer known by the nickname Pharmamaster. Given the nickname, it is not difficult to guess the purpose of his mailings. Many experts also noted that the hacker was Russian-speaking.

How Pharmamaster obtained the company's client data remains unclear. He sent letters to most of the active clients, but not all. There might have been a vulnerability that allowed checking emails for their belonging to the client base. The company assured its clients that there is no reason to worry, and the hacker's threats are just a bluff.

❯ 6. Collateral Damage

However, Pharmamaster decided to attack not the clients, but the company itself. On May 1, 2006, a DDoS attack was carried out on Blue Security's servers. At that time, such attacks were not new, and the company was not surprised, although maintaining them for a long time was difficult. Blue Security expected the attack to stop by itself in a couple of days, as the attacker might use the botnet for other purposes or simply lose interest.

However, at this very moment, the company made a serious mistake. To be able to respond to their clients, they redirected traffic from their site to their blog hosted on Six Apart. The DDoS attack hit the hosting, which was not even warned about it! As a result, thousands of other clients' sites and blogs on the hosting stopped working. They became "collateral damage," just like in a real war.

Blue Security's blatantly foolish action was widely criticized, and the company was forced to apologize and justify itself, causing serious damage to its reputation. However, Blue Security still believed they could survive this attack. Moreover, they considered the severity of this attack to only demonstrate how effectively their anti-spam protection system works!

❯ 7. Capitulation

Days went by, and the attack on Blue Security continued. Neither side was willing to give in. At this tense moment, professionals stepped in — Prolexic, a company specializing in DDoS attack mitigation. The effectiveness of the attack significantly decreased.

However, on May 16, Pharmamaster struck back. They discovered a vulnerability in the protection method used by Prolexic. This vulnerability made the DDoS attack so effective against the anti-DDoS solution itself that all clients of this protection system suffered! Once again, many companies found themselves among the "collateral damage," and Blue Security could not withstand it.

On May 17, 2006, Blue Security's management announced their decision to leave the battlefield and cease fighting spam. It was a capitulation, and Pharmamaster emerged victorious. The official reason for leaving the anti-spam business was the double "collateral damage" and criticism. Although there were rumors on the internet that the company's management and their families were threatened outside the internet, there was no confirmation of this.

❯ 8. What consequences did the spam phenomenon cause?

Besides the meme about canned food, spam became an integral part of the development of organized cybercrime. Along with carding, it demonstrated the financial benefits of criminal activities on the internet, opening up new opportunities for monetizing hacks and creating botnets.

In the heyday of the spam industry and carding, there was a division of criminals into various specializations. Some were engaged in sending phishing emails and hacking computers, others created and modified malicious software, and still others administered and developed C&C servers for effective botnet management. And, of course, there were those responsible for "black contracts," increasing the efficiency of spam mailings, or withdrawing and laundering funds.

All these criminal business processes later turned into "Spam Nation", described in Brian Krebs' book, and then into the modern RaaS (Ransomware as a Service) scheme. However, this is a completely different, more modern story.

The fact is that such advertising has always been and remains effective! As long as people believe in dubious emails and succumb to tempting offers, the industry will thrive.

Remember that virtual crimes were once considered hooliganism and not taken seriously. And this is what it led to.

P.S. This article may become the first in the "spam cycle", where we will analyze individual personalities, such as the identity of Pharmamaster and modern realities. But this is not certain.