Visa has begun threatening banks that harbour spammer accounts in a move designed to crush the spam revenue model.
The initiative, described as a “major effort”, had been quietly underway since the start of the year and has already forced the closure of accounts held by major spam players.
Under the model, organisations who spot counterfeit products being sold online by spammers can report the fraud to the International Anti-Counterfeiting Coalition, a task force composed of executives from corporations including Microsoft, Rolex and Apple.
The coalition would then investigate the complaint and refer the matter to Visa, which would then pressure the acquiring bank processing the spam transactions to shutter the accounts.
“Banking resources are drying up left and right,” Stefan Savage, a computer science professor at University of California and spam expert said. “Merchant banks just roll over."
Savage led much of the work in fighting the economic model of spam. He said forcing banks to terminate spammer accounts targets a critical choke point in the spam revenue process and could destroy the current spam model.
“Acquiring banks have shown little effort to remove the accounts that spammers use,” Savage said. “They don’t care.”
Acquiring banks which process credit card transactions for spammers were identified in a study (pdf) led by Savage last year as the most significant choke point in the spam model.
Savage and a team of computer science researchers spent thousands buying about 120 spam products over a three month period in order to determine the nature of the spam revenue model.
They identified that three banks based in Denmark, Azerbaijan, and the West Indies were responsible for processing credit cards used in 95 percent of their spam transactions.
Precisely how Visa is threatening acquiring banks is not public, Savage said, but it is stern enough to see delinquent banks comply for the first time.
"It is promising, but it’s early days. People are now taking an approach that makes sense,” Savage said.
He said there were 15 steps required in the spam monetisation model, ranging from the creation of malware which harvests data, to processing victim credit cards.
Each step was critical to the model, but was also cheap and easy to replicate if disrupted. But while malware and web domains can be recreated, the point of transaction was the only step which could not easily be replicated, Savage said.
“We have been fighting this battle for a very long time … [Visa’s] effort is far more expensive (to spammers) and effective than anything else."