Researchers at the University of California, San Diego and Berkley successfully infiltrated the Storm Worm to measure the conversion rate of spam. They found that it took only a single response from 12 million spams sent for spammers to reap huge profits.

The infiltration was accomplished by impersonating a component of the network used to send instructions between the host server and the infected PCs (commonly known as bots or zombies) it controls. This allowed them to place their own URLs in some of the spam sent. These URLs redirected to fake store fronts appearing to offer a variety of pharmaceuticals. These fake stores were fully functional up until the point a customer tried to check out. Before they could enter any payment info the site gave them an error message. The researchers never collected or even saw any personal info.

The researchers discovered that Storm sent out 350 million emails in 26 days, resulting in 28 potential customers. Not surprisingly almost all of them ordered “male enhancement” drugs. The average sale was roughly $100 which would have given the researchers a tidy $2,700 or so. Based on this they calculated the average daily profit from the Storm’s spam campaigns to be between $7,000 and $9,000, which equals roughly $3 million a year.

The study showed that despite all the warnings and spam filters, people are still clicking on links in spam messages, which is quite disturbing as this is still one of the most popular ways cybercriminals distribute their malware. The study showed that 10% of people who click on malicious links actually install and run the malware. That equals 1 in 10, and is the reason Storm produces a whopping 3,000 to 9,000 new bots a day.