Freely subscribe to our NEWSLETTER

The fi rst serious book about spam and spammers that I read
was Spam Kings by Brian S. McWilliams (2004). The
‘pioneers’ of the email spam industry pictured in the book, like
the ex-Nazi Davis Wolfgang Hawke, ran it as a small family
business. Relying on nothing more than help from their
relatives, they handled the entire process chain themselves:
harvesting email addresses, authoring message content,
sending bulk email, processing orders, rapidly switching their
Internet service providers and, at a later stage, running from
the FBI or being jailed.

Back in the early years there were a handful of ‘spam kings’
and they didn’t have much to fear. Thanks to The Spamhaus
Project we knew their names, addresses, what cars they drove
and their relative position in the top spammers list.
Since then, many countries have established a variety of antispam
laws governing the use of email communication and
marketing, including the US, Europe, Australia and Canada.
The legislation was not expected to eliminate spam and make
the spammers extinct, but it did criminalize it, made it a
punishable offence and as a result a much riskier endeavour.
So, the second generation spammers had to become a more
organized and secretive group, forming professional spam
outfi ts or collaborating online, where ‘bot herders’ could fi nd
their ‘sponsors’.

But the peak of their evolution was the adoption of affi liate
marketing methods in order to distribute responsibility for
different spam tasks and to increase the army of ‘advertisers’.
Amongst the fi rst spam gangs formed this way was the affi liate
network Genbucks/SanCash, founded by the notorious
spammer Shane Atkinson. It later ceased to exist but became a
‘role model’ for hundreds of new networks.

The affi liate marketing models work well for products with
large profi t margins. Generic drugs produced without a
licence, pornography, pirated software, casinos, dating sites…
the list goes on. These are the topics we commonly see in
email and web spam, but not everyone knows that each theme
is backed by numerous affi liate organizations with thousands
of advertisers. Another fact, known to security industry
researchers, is that the majority of the most powerful and
controversial affi liate networks are based in Russia.
As an ethnic Russian and a security researcher, I didn’t want to
miss an opportunity to look into the not-so-well-hidden world
of Russian affi liate partner networks, commonly referred to in
slang as partnerka.
But let’s fi rst look at how the whole concept of spamming has
changed.

‘WEB IS THE NEW EMAIL’

Over the years anti-spam fi lters have become a de facto
standard for any email service and are now providing effi cient
protection for almost every inbox. The fi lters continue to
impact spammers’ profi ts, forcing them to shift to new (yet
still aggressive) advertisement techniques.
During the same time period, the emergence of Web 2.0
technologies – the blogosphere, social networks – has changed
the way people communicate and fi nd information online. It
made the web a very attractive and powerful advertising
platform, not only to legitimate businesses but also to those
who sell generic drugs and counterfeit luxury items.
This isn’t surprising, given that a person searching for cheap
drugs online is a signifi cantly more valuable target to shady
online pharmacies than millions of email spam recipients
who’ve never asked for it.
Another appeal factor is that web traffi c today does not have a
similar level of protection on the legal and the technological
sides. There are no laws today that could be applied to spam
on blogs or forums. And while various web fi lters do exist,
they do not offer the same level of effi ciency or adoption as
their email counterparts. This is especially true for home users
who are the main target.
This explains why topical web traffi c is becoming the main
focus of affi liate networks of a certain kind. It gives them a
safe legal framework to work within and benefi ts the most
from the scalable model that affi liate marketing offers. Unlike
email spam, web marketing has a signifi cantly lower barrier to
entry for a new member and offers an almost linear
dependency between profi ts and the number of active
‘partners’.

Just as Web 2.0 is about user-generated content, today’s web
and email spam (Spam 2.0?) is generated by a massive number
of affi liates who direct traffi c to a partner site to get their share
of the revenue.

This explains why the number 1 position on the Spamhaus Top
10 spammers list, previously held by the notorious Russian spammer Leo Kuvayev, is now taken by the ambiguous ‘Canadian Pharmacy’ group.
It’s important to mention, however, that there are literally
hundreds of affi liate networks in Russia and around the world
that promote legitimate products in relatively benign ways.
The focus of this research is on the sites that push products
that are deemed illegal in many jurisdictions and those that
endorse unethical or straight-up criminal promotion
techniques amongst their member base. But fi rst, let’s look at
the taxonomy and common characteristics.
At the top level these shady businesses can be distinguished
by the type of product or service they promote and sell. The
most popular kinds include:
• Online pharmacies selling generic versions of popular
drugs.
• Networks promoting ‘scareware’, a.k.a. ‘rogue anti-virus’
products.
• Counterfeit luxury products such as fake Rolex watches.
• Casinos.
• Adult sites.
• Dating services.
• Affi liate traffi c generated via IFRAME insertions.

The majority of networks require an invitation from an
existing member in order to join. This is often a good
indicator of a business that supports unethical promotion
practices. Among the most risky are those that openly allow
spam traffi c or sell rogue software. These partnerkas are
usually closed to the general public (referred to as ‘private’)
and require proof of traffi c volumes and a certain reputation
to be let in. Their websites often reveal nothing but a form to
log in.

Another good sign of a dodgy affi liate business is a complete
lack of transparency with respect to business ownership. The
only contact information usually provided is a set of ICQ
numbers. The portal administrators usually go by their
nicknames and never reveal their real names on support
forums. The banner ads that invite people to join the
partnerships are usually placed on forums dedicated to spam,
hacking, black SEO (search engine optimizations) and other
unethical or illegal practices.

All partnerkas are in strong competition with each other.
Allegiance is earned through more generous commission rates,
shorter ‘hold’ periods, support for a wider range of payment
methods (ePass, WebMoney, Fethard Finance, wire transfers),
higher quality promotional material, better support, etc.
Many organize expensive parties for their members, send
generous gifts for holidays, run lotteries where a top producer
wins a luxury car, and the list goes on.
In some cases, the war between different partnerkas turns
ugly, where one portal may get DDoS’ed by a competing
gang.

TRAFFIC GENERATION TECHNIQUES

Affi liate marketing is all about driving quality traffi c to your
‘sponsor’. So, how does one go about generating it?
The ‘white hat’ Internet marketing involves running ads on
quality websites or blogs which attract visitors by their useful
content or functionality. This form of advertisement is rarely
the case when we’re talking about Russian pharma- or
codec-affi liates.

Crossing the ethical boundary pays well. The most common
methods of traffi c generation for these sites include various
forms of spam, black-hat SEO, malware and combinations of
the above.

As noted above, email spam has become less popular amongst
affi liates due to the high risk and steep entry barrier. This has
been acknowledged by the affi liates themselves on
SEO-related forums. But given that we see no shortage in the
supply of ‘Canadian Pharmacy’ or ‘fake Rolex’ spam, it’s not
going to go away any time soon. It’s just being carried out by
a smaller ‘elite’ group of affi liates.

Another example of traffi c-generating malware is a variety of
so-called DNS Changer trojans that can place promoted sites
at the top of web search results. This is achieved by
redirecting DNS records for Google.com and other popular
search engines to a lookalike site controlled by the affi liate.
The replica site will proxy search results from the real one
with the necessary modifi cations made to the search results.
Another example is the TDSS family which loads a variety of
fake anti-virus software from partner sites. I suspect that the
‘TDS’ string seen in fi lenames (i.e. TDSServ.sys) of this
malware means nothing more than ‘Traffi c Directing System’
– a common term in the SEO world.

When it comes to ‘pharma’, adult or ‘codec’ partnerka, the
techniques most commonly used are known as ‘black-hat
SEO’.

The main difference between white and black SEO is that the
former implies only using the methods approved by search
vendors, like editing content to increase its relevance to
certain search keywords.
Black SEO, on the other hand, relies on techniques like
spamdexing, ‘doorway’ pages and spam messages posted on
blogs and forums.

The most popular is the creation of ‘doorway’ sites. These
sites host content specifi cally created and optimized for a
particular topic and search phrases. It would link to a
Figure 1: The ‘Canadian Pharmacy’ group now holds the
number one position in the Spamhaus Top 10 spammers list.
promoted site using a URL containing affi liate ID. When a
search engine indexes a ‘doorway’ with a high density of
related keywords it’s likely to increase the page rank of the
site referred to by the page, giving it a higher position in
search results.

The common black SEO workfl ow involves:

1. Mining of Google Trends data for most popular search
topics, whether it’s ‘britney spears’ or ‘death of david
carradine’.

2. Generating content related to popular search phrases and
linking it to a promotional site.

3. Uploading content as a blog or forum post, Wikipedia
article or as a site on a ‘throwaway’ domain.
Most of the steps in this process can be automated by various
SEO software tools.

For example, the program ‘John22’ will automatically
generate HTML content for dozens of unique and meaningful
content pages per second, will link them together, upload
them via FTP and notify Google about the new site. The
authors claim that even humans have diffi culty recognizing
that the content was generated automatically and that it’s
impossible for a search engine to tell the difference.
Other tools focus on automated parsing of search trend data,
generation of unique content from Wikipedia articles and
production of complete online forum sites with fi ctional user
communities and conversations.

A special area of black SEO tools are the various spamware
tools for blogs, forums and guestbooks, the most popular of
which are A-Poster and Xrumer. Their functionality is similar
to email spam-sending tools of the recent past, like SendSafe
or DarkMailer.

A-Poster specializes in spamming guestbooks, while Xrumer
works on forums. The latter provides support for automated
forum registrations which often require a valid email address
and a confi rmation. The entire process is fully automated and
includes CAPTCHA recognition to generate hundreds of free
email accounts.

ZennoPoster is yet another suite of tools that is able to
generate accounts on any webmail site, social networks, blogs,
free web-hosting providers, etc. It can send SMS messages,
parse search results, place spam on forums and guestbooks
and perhaps brew a coffee, though this feature wasn’t
advertised. And all this treasure goes for a mere 289 euros.
If this all sounds too complex, the web traffi c could simply be
bought from a link exchange store and directed to your
sponsor. The trick is to choose a partnerka with a high
conversion rate to ensure that generated revenue will be
greater than the cost of the traffi c itself.
Now, let’s look at some of the most prolifi c affi liate business
types.

PHARMA-MASTERS

The online pharmacy is one of the most popular kinds of
‘affi liate promotions’. The oldest and biggest partnerka in the
Russian pharma-business is GlavMed, which can be
translated as ‘MedHeadquarters’.

This partnerka is open to the public but requires an invitation
from another network member. Its main brand is the notorious
‘Canadian Pharmacy’, which is all too familiar to everyone
through massive email spam campaigns that seem never to
end. This spam is tied to a sister entity of GlavMed, called
SpamIt (spamit.com), which is a closed private network of
email spam affi liates that has proven hard to infi ltrate.
The members of SpamIt are allegedly the group behind the
Storm, Waledec and potentially Confi cker botnets,
responsible for email distribution and fast-fl ux hosting of the
spam websites.

GlavMed, on the other hand, proclaims a strong anti-spam
policy focusing on ‘legal’ SEO traffi c generation. Searching
for GlavMed’s support phone number (+1 (210) 888 9089)
reveals over 120,000 online pharmacy sites selling generic
drugs.

We discovered, however, that the PHP-based e-commerce
backend (SE2) available for download from GlavMed’s user area is exactly what powers the ‘Canadian Pharmacy’ sites advertised in spam.
Just like any other partnerka, GlavMed starts with a public
portal, the main part of which is the members’ area with
statistics on store visits, purchases and commission earned.
Many webmasters claim to be addicted to these stats pages,
watching intently how the traffi c they generate converts to
payments.

Every affi liate has an option to download two versions of
GlavMed’s e-commerce software to deploy on their own
domains or simply to direct traffi c to a set list of domains
owned by GlavMed. The former provides more fl exibility for
customization and SEO optimizations.
Each store deployment contains a backdoor interface that
allows GlavMed’s order processing system to collect hit
statistics and purchase orders.
Another core feature of the main site is the forum where
affi liates discuss issues, share ideas and get attentive and high
quality support from the partnerka owners.
GlavMed advertises a 40% commission fee on each sale.
Assuming the cost of an average purchase is around $200,
even a couple of purchases per day become a good source of
income.

During our research we came across a log fi le of purchases
made on ‘Canadian Pharmacy’ websites advertised in email
spam. This data revealed over 20 drug purchases per day per
spam campaign, which can add up to $1,600 paid in
commission fees per day. Correction: there were in fact 200
purchases per day average (not 20), which could lead up to
$16,000 in payments (not $1,600).

While GlavMed is one of the oldest and clearly the most
popular pharma businesses, there are legion others.
Stimul-cash.com, Rx-partners, Rxcash.biz, Evapharmacy,
Rx-Signup.com and DrugRevenue names just a few.
Most of them focus exclusively on web promotion
methods, while a small portion still unoffi cially
support traffi c generated through email spam.
According to messages posted on relevant forums,
GlavMed and Evapharmacy are the most spamfriendly
sponsors in the world of ‘pharma’.

CODEC- AND SOFT-PARTNERKA

Over the last two to three years we’ve witnessed an
emergence of a new Internet threat called scareware,
which quickly became one of the most prevalent kinds of
malware.

This threat exploits the increasing fear among users of
computer malware and relies on various social engineering
tricks or software exploits to install a fake security product.
The rogue software is both annoying and hard to get rid of,
unless you’re willing to pay $30–$50 for the fake product or a
similar amount of money to buy real defence. This shouldn’t
be big news to anyone these days, even though some people
still fall victim to it.

What is not common knowledge, though, is that this Internet
threat is predominantly driven by Russian partnerka networks.
These ‘sponsors’ are often called ‘pay-per-install-’, ‘soft-’ or
‘codec-’ partnerka. The latter is related to the most commonly
used social engineering technique that fools people into
installing a video codec or a Flash player update to watch
video content. The commission paid to affi liates is usually
based on the number of ‘loads’ (installations) achieved.
For the soft-partnerka networks, also known as antispywarepartnerka,
the revenue sharing is based on actual sales of fake
software.

In addition to actual software, each ‘sponsor’ also provides
promo material, which is usually a set of HTML designs and
scripts that entice users to click and install. The most popular
was the different variations of ‘PornTube’ – a youtube.com
lookalike offering adult videos for free.

Due to the openly criminal nature of these affi liate groups, the
codec-partnerkas do not last very long. Most of them are
exclusively private and require affi liates to have a certain
reputation in the SEO world before they can be admitted as
members. But there are some, like Buckster.ru, that are more
relaxed about new registrations.

Buckster advertises itself as a partnerka for ‘garbage’ traffi c.
Its two core ‘brands’ are WinXdefender and VirusDoctor –
both perfect examples of rogue AV software.
Once registered, you can log into an admin interface,
showing you the URLs to advertise and your current
statistics. As you can see in the screenshot in Figure 5, the
author of this paper, though tempted, did not generate any
traffi c for his fi nancial gain.

Having this sort of access can often expose useful information
to a security researcher. The main benefi ts are the fresh links
to promotional sites and the software binary itself. Both could
be used to maintain a high level of detection for this threat
and can drive development of a broader protection layer. In
this particular example, the DNS network hosting the TDS
domain (Traffi c Direct System) contains a number of other
fake AV-related websites that could be blocked as soon as they
get registered.

Another very popular – but a bit more private –
codec-partnerka is RefreshStats. Despite its efforts to stay
private we were able to take a peek at its admin interface. One
of the affi liates was careless enough to upload a screenshot of
their desktop to one of his ‘PornTube’ sites (Figure 7). The
screenshot offers a picture of the admin portal with this
affi liate’s earnings and hit statistics ($6,456 for the month of
August 2008).

Mac users are not immune to the scareware threat. In fact,
there are ‘codec-partnerka’ dedicated to the sale and
promotion of fake Mac software. One of the recent examples
is Mac-codec.com. At the time of writing this article, the site
is no longer available, but just a few months ago it was
offering $0.43 for each install and offered various promo
materials in the form of MacOS ‘video players’.
Often enough, some interesting information can be obtained
directly from the partnerka home pages, without needing to
register.

For example, yet another scareware vendor, Topsale2.ru,
states on its front page that only traffi c from the USA, Canada
and Australia is being accepted and that the commission rate
is up to $25 per sale. Its promo materials include ‘web
scanners’ (a dynamic HTML page that deceives users into
believing that their PCs have been scanned and that viruses
were found), codecs (pages with fake video players that
require an ‘update’) and three different variants of EXEs (the
actual payload). They do not shy away from saying that one
of the executables advertised was made specifi cally for
loading into a botnet.

The site claims the average traffi c conversion rate is
$100–$250 per 1K loads, which with $25 commission rate
implies that up to 10 of every 1,000 users infected with a fake
AV threat end up actually paying for it.

To further convince potential affi liates to sign up the home
page links to sample statistics for an average member ($4916
commission paid in 11 days).

Again, we can see how a successful webmaster can make over
$180,000 per year on this network alone from traffi c
averaging 10K visits per day. Assuming that most webmasters
direct their traffi c to more than one sponsor at a time, it is no
surprise that affi liate marketing and black SEO are extremely
appealing career paths for a computer savvy person in Eastern
Europe.

In 2008 we observed a record number of codec partners’ sites
– CodecCash, SmileCash, OXOCash, Go-Go-Cash,
IframeVip, Bucks Loads, Ruler-Cash, 3XLCash, SpicyCodec,
VIP Codec, K2Cash, VIPSoftCash, Topsale.us, RulerCash,
CashPanic, Traffi c-Converter.biz and SoftwareProfi t, to name
just a few. With each maintaining its own set of software and
promo material, there is little wonder that the volume of
rogue anti-virus applications and codec doorway sites has
risen to unprecedented levels in recent years.
The majority of the aforementioned sites appear to have gone
away for a variety of reasons. Some of them blame their billing systems which turn accounts down as soon as they recognize that they are related to scareware sales. Others were exposed by Brian Krebs in his Security Fix blog in the Washington Post, and by other security researchers. These
articles often initiate a take-down effort similar to what
happened to McColo, EstDomains and 3FN.

But there is a new trend emerging. Here is an excerpt from a
blog post made on 6 June 2009 by the CashPanic team:
‘... this business is no longer as attractive as before due to
high costs and risks which no longer get compensated by the
declining profi ts ...’

We can only hope that this trend is affecting all of the fake
anti-virus vendors and that we will soon witness an end to it.

CONCLUSION

Affi liate web marketing attracts thousands of people
motivated by the high earning potential and the fl exibility of
self-employment. The examples mentioned in this article are
merely the tip of the iceberg. The affi liate networks focused
on the promotion of illegal products are part of a growing
multi-million dollar ‘industry’. Affi liate web marketing also
became the main driving force behind the recent explosion in
malware, website infections, email spam and general web
pollution.

At the same time we see some hopeful signs. Security
researchers are working closely with law enforcement to
orchestrate rogue network take-downs. Billing and hosting
companies are becoming more responsive to abuse reports
and do stop providing support to rogue businesses. The most
dangerous sides of the affi liate business such as scareware are
being forced to close or go underground, which impacts their
operational costs.

All this good news will not completely eliminate unethical
and illegal Internet practices, but the effects may reduce the
impact to a manageable level.
Figure 9: Topsale’s sample statistics for an average member.