Cybersecurity expert cuts off spammers’, scammers’ cash flow

Stefan Savage is a cybersecurity expert and computer science and engineering professor at UC San Diego.
(Photo by Erik Jepsen)

The first thing to consider about cybersecurity is this: It’s all about the money. Just ask Stefan Savage, a cybersecurity expert and computer science and engineering professor at UC San Diego. He says the best defense against computer worms, viruses and malware is to go on the counterattack and make it harder for cybercriminals to collect their ill-gotten gains.

“Ninety-nine percent of what you and I deal with when it comes to computer security is motivated by economics,” Savage said. “Data breaches? It’s all about the money. Spam? It’s all about the money. Malware? It’s all about the money. The problem is we are looking at this as a purely technical problem.”

Making it more difficult for cybercriminals to collect their cash might sound like an obvious solution, but it’s an effective one.

“Focusing on the economics of cybercrime as a way of combating it makes complete sense because all of the other ways are not terribly effective,” said Brian Krebs, an investigative reporter who blogs about data breaches at


A professor in the Computer Science and Engineering Department at UC San Diego’s Jacobs School of Engineering, Savage serves as co-director of the Center for Evidence-based Security Research. The cooperative center is a partnership between UC San Diego and the International Computer Science Institute, an independent computer science research nonprofit in Berkeley. CESR is devoted to analyzing, preventing and fighting computer pathogens.

Wasting their time

Savage’s interest in the economics of cybercrime has grown in part because of the limits he sees with current technology. He points to the nefarious Nigerian prince, with his promises of riches, who sends countless emails daily — most of which go straight into the spam folder. But shutting down the “prince’s” countless email accounts and Internet domains is like playing whack-a-mole.

Savage breaks it down like so: “The Nigerian spam-scams have an advantage in that it’s cheap to send mass email. The labor-intensive part is in convincing those few gullible respondents to part with their financial information.


“A more effective approach would be to develop software that can engage the ‘Nigerian prince,’ keep him busy, do some scam-baiting, occupy his time. It will undermine his hourly wage. It creates a disincentive to engage in this kind of behavior.

“In general, if I can increase the cost involved with a bad guy doing business, they’re going to be less inclined to do business,” Savage said.

Tattling on them

For Savage, fighting cybercrime isn’t just a matter of developing new software but also of simply being clever with existing resources.


Throughout 2011 and 2012, he and a team of researchers posed as buyers of counterfeit goods sold on the Internet and, by tracking the flow of money in these transactions, showed that only a handful of banks were involved in these activities. Working with a Washington, D.C.-based anti-piracy organization called the International Anti-Counterfeiting Coalition (IACC), they helped create a framework whereby brandholders and credit card companies could work together to shut down the counterfeiter’s financial accounts, effectively cutting off their economic lifeblood.

“It really is pretty simple when you think about it,” Savage said. “Credit card companies have a record of these transactions and they will act when someone makes a complaint.”

Securing our (digital) stuff

Savage has long shone a light on the myriad methods hackers use to infiltrate computers. As far back as 1999, his research team discovered fatal weaknesses in the transmission control protocols that carry most Internet traffic and are vital in delivering emails and transferring files.


“Most computer security is about finding out where people made assumptions that were not verified,” Savage said, “and that happens all the time.”

Savage’s work earned him the Special Interest Group on Operating Systems’ Mark Weiser Award in 2013, making him the first UC San Diego professor to win the prestigious prize. The Mark Weiser Award is given to an individual “who has demonstrated creativity and innovation in operating systems research,” according to the group’s website.

“Stefan’s laser-like focus … has helped make a major dent in the profits of multiple cybercrime operations, from pirated software and fake antivirus products to spam-advertised pharmaceuticals,” Krebs said.

David Ogul, Brand Publishing Writer