That’s the answer; the question is, what do the bad guys want?
Ultimately, the bottom line, at the end of the day, the spam, the botnets, the phishing emails, the hoax sites, it’s all about getting money, either directly or indirectly, from someone otherwise unwilling to give it up that easily.
Let’s start with spam, since there’s so dang much of it. I don’t have a percentage number, but some spam is legitimate sales material. Obviously, since very few of us really want to buy what’s being offered through emails we didn’t ask for, lots and lots of those emails have to be sent out in order for just one person to buy what they’re selling. There are people around the world whose job it is to figure out ways to get lots and lots of email out without triggering spam filters on their own ISPs. That has become an occupation, but I don’t know how we would name that job. Spam Filter Evasion Trainer? But from those legitimate emails, some people do actually buy those products.
There are some spam emails that are strictly to get you to buy something that isn’t actually being sold and shipped. They want you to give them your credit card number. About the time you figure out you haven’t received the thing you thought you bought, bogus charges start appearing on your credit card.
Some emails aren’t “spam”, but are phishing expeditions. The purpose is to get you to click on a link that looks like someplace you trust, like a bank or credit card company, and provide your login credentials. Here’s where you get to pay attention: When you click that link, if you watch the bottom left corner of your screen, you’ll see strange stuff appear and go away. That appearing-and-going-away thing is normal, what may not be normal is WHAT appears. If you’re genuinely clicking on your bank, your bank’s name should appear. If you’re clicking on Amazon, Amazon.com should appear. Get the picture? If something else appears, and you go ahead and log in anyway, you’ve just given your banking credentials or your Amazon account login to someone who shouldn’t have them, and on their end, they have them stored in a database for future use. ALSO–you should check out my post on web encryption and security if you haven’t already, because if you want to go to your bank or to Amazon (well, at least to your account information on Amazon), you should look for that padlock and Extended Validation. It is doubtful that a bogus site will have those encryption details–so far I haven’t heard of them having been able to get spoofed.
There are a few different motives behind malware. One is to get you to pay a ransom to get rid of it (see my post on Cryptolocker); another is to set up a botnet to send out spam or feed malware to other computers. Still another is to install keylogger software to capture your login credentials and feed them back to the mothership. Yet a different type is designed to break security on one machine so that others can be accessed (that was the design of the recent Target breach).
There exists an actual marketplace for stolen credit card numbers. NPR’s Planet Money did a podcast that explained it in plain English, and when you see how that works, you can kind of see how the pieces all fit together. Most of the credit cards exchanged on that market come from data breaches but there are some that come from those emails that look like they have something to sell.
Be aware that unless you know the person at the other end of the email, they want something from you, usually money. Be aware that unless you know exactly what you’re clicking on, you could be inviting a bad guy onto your computer. Be aware that you have ways to know who you’re doing business with. Most of the problems we see dealing with technology could have been prevented if someone would simply have Been Aware.