India recently notched a dubious distinction, beating the U.S. to become the leading spewer of spam email, according to the British Internet security firm Sophos Ltd. Nearly 10% of such emails is now sent from Indian computers, up from 7% in 2010, and many of the spammers don’t even realize they’re doing it.
“This is one record India doesn’t want so much,” said Sanjay Katkar, chief technology officer with Quick Heal, a security firm.
India is virgin territory for spam spewers as the country’s burgeoning economy, improved broadband and rapidly expanding middle class add an estimated 7 million computer users a month, many inexperienced and using pirated software or old operating systems.
These Indians aren’t just potential victims. As a certain percentage of newbies click on questionable email attachments or links to dodgy websites, Internet criminals next door or thousands of miles away take remote control of their systems, turning their machines into what Sophos calls “spam-spewing zombies” and what geeks call a “bot,” short for Web robot.
Ruchika Shishodia, 29, a public relations employee who lives in Gurgaon, outside New Delhi, said she sometimes uses pirated software and often notices her system slowing to a crawl for no obvious reason. She isn’t particularly worried that it might have morphed into a bot, but is irked by a deluge of junk mail, especially those offering penis enlargement services or touting dubious financial offers.
“Only a moron would fall for most of these,” she said. “If I fell for anything, I’d probably go for the ‘Make money while sitting at home’ pitches.”
Ankit Fadia, a “legal hacker” who tests corporate and government networks for weaknesses on a contract basis, estimates that half of the India-generated spam is created in the country by willing spammers, with the rest originating elsewhere and routed through Indian bots. Tracking it back through a string of zombies in various nations is difficult.
“While the spam originates from a location in India, it’s very difficult to find where the actual fingers on the keyboard are,” said Shantanu Ghosh, Symantec’s managing director in India.
A host of companies in India handles “digital marketing” for local and foreign clients, using unsolicited emails to target website and cellphone users. At Brainpulse Technologies’ bare-bones offices outside Delhi, dozens of twenty somethings at cheap wooden desks in dented cubicles design Web pages and mass marketing campaigns for foreign clients. A company selling point: Our unsolicited bulk mail campaigns are well crafted, allowing them to sneak past most email filters.
“If the emails reach your inbox, it’s email marketing; if not, it ends up in your spam folder,” said Vishwajeet Bhattcharya, the company’s senior business development manager. “I don’t know spammers. We work legally.”
Although most spam these days comes from zombie computers in Asia and Latin America, its preferred targets are users in the U.S. and Europe, where incomes are relatively high and credit card use widespread.
Once an Indian computer is corrupted, it may be linked with hundreds, even thousands, of bots in what is known as a “botnet,” controlled by a “bot herder.” Botnets can be exploited directly. Alternately, they can be leased or sold to scammers who use the zombie computers to spew junk mail, which includes relatively benign ads for fake designer bags and Rolex watches, hoaxes, financial scams and identity theft and “phishing” emails that solicit bank or credit card details.
The cost of leasing a network of 100 bots capable of generating 500 to 1,000 emails per minute is about $2,000 a month. Buying a few hundred might cost $1 apiece, the Moscow-based Internet security firm Kaspersky Lab said, noting that a botnet with 100,000 zombie computers sold a few years ago for $36,000.
Although malicious emails account for only 4% to 5% of spam, their numbers are growing exponentially because they’re so profitable.
“Spam is becoming increasingly malicious,” said Graham Cluley, Sophos’ senior technology consultant. “They recognize that the best way to monetize isn’t necessarily by offering fake Viagra or false degrees.”
India’s weak laws and poor enforcement also create fertile ground for spammers, some said. The U.S. and Europe have prosecuted several kingpins, including “spam king” Robert Soloway, who pleaded guilty in 2008 to fraud, spamming and tax evasion charges, but India hasn’t had a single conviction for generating spam. Nor is it even considered a violation under India’s Information Technology Act of 2000.
This week, a major spammer and botnet known as Grum, using “command and control servers” in Russia, Panama, Ukraine and the Netherlands, was taken down by Internet firms and online security companies. By some estimates, Grum generated 18 billion junk and malware emails a day, accounting for anywhere from 15% to 35% of the world’s spam using a worldwide network of up to 120,000 infected computers.
Over time, spam is becoming more targeted, as are other forms of Internet marketing. And many have a cultural component, including solicitations in India tied to cricket matches, Bollywood stars, fake training institutes, matrimonial help and weight loss through ayurvedic techniques, Indian traditional medicine. They’ve also getting more professional, experts said, moving beyond the traditional typo-laden Nigerian scams of yore.
As spam and its spinoffs become increasingly lucrative, the business is being taken over by sophisticated foreign crime syndicates that add it to their portfolio of drugs, prostitution and loan sharking, said Ghosh, with technically ignorant mob bosses hiring the geeks required. Symantec estimates that the profits from online scams are equal to the global illegal drugs trade of two years ago and growing.
When Shishodia sits down with a cup of coffee and her tablet computer to check her email, she finds several emails telling her she’s just won the lottery or offering to find her the perfect husband with the right looks, income and caste profile.
“What a pain to keep getting these,” she said. “I am already married, so getting these is frustrating on a completely different level!”