PharmaLeaks 4: Spamming Techniques and Payment Service Providers

In his presentation’s final part, Damon McCoy dwells on the spamming strategies used by pharma affiliates, and breaks down the costs online pharmaceutical networks have to bear.

Strategies for Spamming

GlavMed Affiliate Payments History

Now that we’ve looked at some general numbers on affiliates, let’s look at some of the top earning affiliates here. So, on the high end of things, let’s look at some of the schemes that these top earning affiliates use to be successful spammers.

An obvious one to think of is run a large bot network and spread a whole bunch of spam. In fact, the operator of Rustock – we identified him within SpamIt dataset – made close to 2 million dollars by operating Rustock and sending out spam for the GlavMed / SpamIt program. That indeed is a very good way of becoming a successful marketer – to run a large bot network.

Let’s look into another way of doing it – we isolated an affiliate named Scorrp2. Scorrp2 earned about 3 million dollars. However, Scorrp2, from an analysis of the referer headers, appears to have rented out multiple bot networks, and perhaps rented out or perhaps bought code from different botnet writers, and maybe operated his own version of each one of these bot networks, it’s somewhat unclear. But he didn’t operate just one bot network like the Rustock people.

However, if you dig deeper and do a more in-depth analysis, you can see that actually the largest overall earner, of all of our data, was an affiliate named ‘webplanet’. And this affiliate appears to have not used spam emails but in fact used web-based advertising to earn about 4.6 million dollars.

There are some expenses incurred in spamming this much.

So, it is one of these interesting questions that I think of: what is the optimal strategy for spamming? Also, this is gross revenue for the spammers, and unfortunately our leaked dataset doesn’t offer much insight into what are the actual profits of these spammers, because in fact these spammers have a lot of the costs themselves. As we will show you in the case of the affiliate programs, they are not making all this money as pure profit, there are some expenses incurred in spamming this much. But unfortunately the datasets that we have don’t answer these questions.

As you can see, these top earners earned quite a bit of money, and they in fact earned the larger share of each individual sale. However, the affiliate programs, if they are very successful, in fact can earn more by taking a smaller portion of each sale over all of the sales from their affiliate program than the individual affiliates.

Direct and Indirect Costs

Rx-Promotion accounting details

As I said, the affiliate programs operate very much like a business. Here is a spreadsheet from Rx-Promotion that has their fine-grained accounting data (see image). This accounting data actually conforms to international financial accounting records, and as you can see it is extremely detailed. It gives us a very fine-grained look at their profits, their gross revenue, and their costs. So, using this and other transactional data, we can get a very good handle on the cost structure of these affiliate programs.

Structure of the direct costs

So, very quickly let’s go over to the direct costs. These are costs that occur every time that a purchase occurs. As I said before, the affiliates earn the largest portion of each individual sale. Their commissions range from 30% to 45%. If it’s a very successful affiliate they can negotiate larger commission rates, which shows that there is a limited number of these very successful affiliates, and the affiliate programs compete by offering them larger and larger portions of the sale as commissions. In the chat logs we can see the different operators competing for these top affiliates and cutting deals to give them more and more commissions.

Next is the suppliers. The interesting thing here is that shipping actually is the larger cost than the actual cost of the drugs. So, shipping is about 11%-12% of their cost, suppliers – about 6%-7% of their cost, in total it is about 18% of their cost. And then processing – paying to process the VISA cards – is about 10% of their cost. And their gross margin, this is probably a very optimistic estimate of their profits, is about 30%.

Total cost structure for Rx-Promotion

However, as I will show you in the next slide, these are just the direct costs, they also have indirect costs associated with their business. If we look at some of the more fine-grained cost structure of the Rx-Promotion program (see image), we can see that they have direct costs of about 70%, but they also have these indirect costs of about 13% of their revenues.

Indirect costs are things like people’s salaries, there are things like lobbying their governments, marketing. And marketing in this sense means attracting affiliates to be part of their program. A lot of these costs are somewhat fixed. Even though GlavMed was doing a lot more sales than Rx-Promotion, indirect costs seem to be the same across these programs, suggesting that they are somewhat fixed. And again, arguments that they want to have this economy of scale are to try and negate out these indirect costs.

So, all this leaves them with probably a more accurate estimate of about 16% of the profit that they are actually making off this business. And this correlates with the chat logs where the GlavMed / SpamIt operators report about 10%-20% when there are talking with their affiliate about their cost structure.

Payment Service Providers

Payment service providers

So, now that we’ve looked at the cost structure, let’s look at the payment service providers (see image). Quickly on how to read these figures: each one of the abbreviations represents a different payment service provider. Each row represents a different account that they have established with that payment service provider. Sometimes they established multiple accounts to get redundancy – in case one account is shut down they have other accounts to fall back on.

As you can see from this graph, there are very few of these over the course of more than three years of data that we have. The size of each dot represents how much revenue was processed through each one of these accounts. The larger the dot, the more revenue was processed to that account.

So, quickly to point out some events. In that line right there this kind of represents the souring of the relationship with LV. And because of this relationship souring with LV, who they had used to process the majority of their payments, they had to push more of their processing onto LT and GL, which were the two other main payment service providers that they had.

If you look more forward in time, you can see that the relationship completely soured with LV, and soured with LT, and they were left with only a single payment processor GL that they had to use to process all their transactions. And then, if we look forward in time, their relationship with GL sours, and just like in the case with Rx-Promotion when they lost their bank relationships, their revenue sharply declined.

They’re becoming less and less profitable because of disruptions in payment processing services.

Extending further out, we have metadata that shows that they tried to deal with another payment service provider. They agreed to much less favorable terms, they had to pay much more than the 10% typically required. And thus they’re becoming less and less profitable because of these disruptions in their payment processing services, this is becoming more and more of a direct cost to them. According to our study, these three payment service providers accounted for about 84% of all the transactions.

Let me give you an epilogue on where these programs stand currently. About several weeks ago on the GlavMed forum the operator posted a message; I don’t speak very good Russian, luckily one of my co-authors translated this for me. So, just quickly, it says they are having problems with their processing, they can’t accept any new orders and consequently they have to cease operations until they find a new payment service provider that will process their transactions.

A similar thing happened to Rx-Promotion. They had only a single payment service provider, their relationship soured and in fact they are out of business currently.


So, just to conclude, a small number of the advertising affiliates generate most of the revenue. This market is not saturated. The affiliate programs have substantial costs. They have a very thin profit margin. If things go badly their payment service provider squeezes them for more share of the money, which drives them to be less and less profitable. When there are financial disruptions their indirect costs become a larger burden on them and they become unprofitable. And only three payment providers were responsible for a majority of the transactions for GlavMed. So, indeed, this is a fragile part of their business that, once disrupted, costs them a lot of headaches.

