Financial records of three vendors that sell unauthorized and counterfeit pharmaceuticals over the Internet show, among other things, that they rely on a relatively small number of affiliate advertisers to drive traffic to their sites. An analysis of the records by Networking researchers and their collaborators gives a rare insider’s view of the finances of illicit online activity.

Weekly sales volume of the programs

The study analyzes financial records of GlavMed, SpamIt, and RX-Promotion, which sell erectile dysfunction, male enhancement, and other drugs and which pay third-party affiliates to advertise their Web sites through spam and abusive search engine optimization methods. The records were leaked to journalists, forums, and law-enforcement agencies by the rivaling organizations as part of what Brian Krebs, a network security blogger and a co-author on the paper, calls the Pharma Wars. The records used in the study cover all sales made by GlavMed and SpamIt from 2007 to early 2010, and all sales made by RX-Promotion to U.S. customers during 2010. They covered almost 1.5 million orders totaling $185 million.

The resulting paper is “perhaps the most detailed analysis yet of the business case for the malicious software and spam epidemics that persist to this day,” Krebs wrote on his blog. It’s unusual in that it relies on ground truth data – the actual daily finances of an industry that until now has been shrouded in secrecy. The dataset allowed the researchers to corroborate financial estimates they had made using a variety of empirical measurements published in earlier papers. (See, for example, this paper presented at the USENIX Security Symposium 2011 and this paper presented at the 2011 IEEE Security and Privacy Symposium.)

The paper was presented in August at the USENIX Security Symposium. In addition to Krebs and Networking researchers Christian Kreibich and Nicholas Weaver, its authors include researchers from George Mason University and UC San Diego.

Spam and other illicit advertising form part of what the researchers describe as an underground economy, in which profit is the main motivating factor behind Internet attacks and scourges such as email spam. In recent years, the underground economy has experienced a division of labor, with different tasks performed by different organizations, which get a cut of the sales. In this “affiliate program” model, a sponsor pays third-party affiliates on commission to drive traffic to its Web site. Spam is one major method of doing this. Sponsors also partner with third parties to process payments.

The study found that 10 percent of affiliate advertisers account for more than three-quarters of revenue, and that just three payment service providers are responsible for 84 percent of revenue. The researchers say these may be weak points in the spam economic pipeline, vulnerable to counterattacks.

The analysis revealed some other interesting facts. Even though the number of orders fulfilled by GlavMed and SpamIt dropped beginning in mid-2009, the number of new customers remained steady throughout the period covered by the data, suggesting that the market for online pharmaceuticals is far from saturated.

Repeat customers constituted more than a quarter of GlavMed’s and SpamIt’s revenue. The most popular drugs sold by the two were related to erectile dysfunction, which accounted for 75 and 82 percent, respectively, of their revenue.

RX-Promotion, on the other hand, relied more heavily on sales of controlled drugs that are potentially habit-forming, such as pain medications and opiates. While only 14 percent of orders fell in this category, they represented 32 percent of total revenue. These drugs are generally more closely regulated due to their addictive nature.

The work also found that because of high commissions to advertisers, who receive between 30 and 40 percent of each sale that they facilitate, and other costs, such as those for shipping and processing credit cards, the program operators receive less than 20 percent of sales revenue.

Related Paper: “PharmaLeaks: Understanding the Business of Online Pharmaceutical Affiliate Programs.” D. McCoy, A. Pitsillidis, G. Jordan, N. Weaver, C. Kreibich, B. Krebs, G. M. Voelker, S. Savage, and K. Levchenko. Proceedings of the 21st USENIX Security Symposium, Bellevue, Washington, August 2012. Available online at http://www.icsi.berkeley.edu/icsi/publication_details?n=3314