Lessons From McAfee’s S.P.A.M. Experiment

McAfee’s month-long S.P.A.M (Spammed Persistently All Month) Experiment has ended, and none of the participants have received their Viagra, real estate deals or millions from a Nigerian bank.

Then again, it’s not like they were expecting to get that stuff.

McAfee (NYSE: MFE) hired 50 participants from 10 countries by placing ads on Craigslist, including the U.S., to spend one month surfing the Web unprotected. They were given brand new Dell laptops with only basic McAfee antivirus software, which the participants got to keep as payment for their involvement.

Throughout the 30 days, the 50 guinea pigs wrote of their experiences on a blog, often having a lot of fun in the process. For McAfee it was serious business as it helped the company learn some new patterns of behavior.

When it was over on June 1, the 50 participants had received 104,000 unsolicited messages, which comes out to 70 messages a day each. All of them saw severe degradations in their computers thanks to spyware installations, but it also taught them that spam isn’t just a nuisance, it’s dangerous.

“I really didn’t quite know what spam really was,” said Tracey Mooney, a mother of three from Chicago. “I knew it was annoying, I knew there were a lot of ads for things they were trying to get you to purchase, but I had no idea a lot of it was trying to get your financial information so they could steal your bank account or your money.”

Many of the spam messages received were phishing e-mails trying to get personal information like bank account numbers, social security numbers, usernames and passwords. One new wrinkle: they also want your cell phone.

“One thing we had not anticipated was the amount of spam requesting SMS or mobile numbers as part of the confirmation process,” Dave Marcus, security research and communications manager for McAfee’s Avert Labs, told InternetNews.com. McAfee provided fake phone numbers for the spammers, anticipating some kind of mobile spam, but it has yet to bear fruit.

Probably the biggest surprise for Marcus was foreign language spam. “I could not have said this a year-and-a-half ago. It was still 99 percent English language spam. But now we’re seeing massive amounts of English, French, German and Portuguese. It’s not equal to English but certainly a developing trend.

Of the 104,000 letters, 23,233 were English language. Second was Brazilian Portuguese with 15,856. Marcus said that’s because Brazil embraced online banking early and is widely used in that country.

“Brazil is a unique part of the world for cybercrime,” he said. “Brazil sees more password stealing than any other part of the world. Since malware is all about money these days it makes sense that people who do more online banking than anywhere is are going to be a target.”

France and Germany were the two countries that received the most foreign language spam, with 11 percent and 14 percent respectively, but numerically they got the least amount of spam. France received 2,597 letters total and Germany got 2,331 letters.

The spam was relatively clean; only one to four percent had some kind of malicious software payload, like malware, attached, according to Marcus. That’s not surprising because attached malware is more likely to get caught and spammers want their letter to get through.

Next Page: Erectile dysfunction drugs and Rolex watches

Page 2 of 2

Erectile dysfunction drugs and Rolex watches

Participants were given credit cards to make purchases, but not surprisingly, none of them received their erectile dysfunction drugs or Rolex watches. One participant put her real address in replies to some of her spam, and found paper junk mail in her mailbox went up.

Mooney said her 17-year-old son participated in the program and got an education as well on what spam does. Being in the experiment “Opened the dialogue with the kids on what dangers are out there,” she said. “They got to see firsthand what happens to your computer and what can happen in a worst case scenario.”

McAfee is planning on a second “season” of the S.P.A.M. Experiment some time in the future. Marcus said he’d like to look closer at the mobile side of things, and go further down the road of ordering the products being peddled.

He also wants to make sure they don’t wipe the computers. Participants reported a severe degradation in their computers, but when the experiment was over, McAfee sent them a utility to wipe the computer and reinstall it fresh, something he regrets because the company didn’t have a chance to examine those laptops closely.

The participants’ experiences are still available on a blog” while the final report from McAfee has just been posted.

News Around the Web