In general, the payment tier is only an appropriate point of intervention for those activities that are monetized via direct consumer payment. So it is appropriate for things like spam-advertised goods, fake-AV, gambling, porn, etc.... things for which it is hoped that the recipient will provide a credit card number to finance the underlying advertising activity. It is not useful for scams that employ an out-of-band payment scheme (e.g., pump-and-dump) or that are fundamentally focused on theft (e.g., phishing, 519, malware vectors, etc)

You can, but the processors all use standard fraud detection policies that will detect this activity and filter it out unless you do a very good job (from experience, it can be tricky making a purchase if you are not who you say you are... there is a real learning curve here). You'd need valid cards for which you have an associated name and street address that will pass an AVS check, a range of distinct e-mails (and not from public Web mail) and IP addresses. However, with enough work it would be doable... although probably in violation of Federal and State law in the US.

- Stefan

This is correct; while the universe of banks willing to accept high-risk merchants is smaller than the total number of Visa association affiliates it is certainly far larger than three. However, the more important asymmetry here is not in the size of the set, but in the switching time. If a merchant (or their payment processor more likely) starts to route transactions through a new acquiring bank, their identity will be revealed very quickly in any purchase authorization record. By contrast,the time to actually establish that new banking relationship (and get appropriate certificates from Visa, etc) takes days. This is one of those rare cases where the defender is able to respond far more quickly than the attacker.

> In a talk, Stefan claimed to have the ability to remotely drive as well, i.e., steer/accelerate/brake.
I'd be surprised if you're not misremembering... both because we hadn't spoken publicly about concrete remote vulnerabilities before our NAS briefing and because some of this is not true. In particular, steering is not electrically intermediated on most cars (new electric cars aside) and we've never demonstrated acceleration control (engine start/shutdown, yes... acceleration no... although I'd be surprised if it wasn't possible).

As a co-author of this work, I should be clear that we never suggested that we have a perfect spam filter per se, simply a new tool that has the benefit of being orthogonal to existing techniques. For _existing_ botnets, our filters are extremely good, but the paper is also quite clear about the variety of ways that spammers might try to evade the approach.