By Chris Meidinger

The awesome part of DefCon is the opportunity for attackers and defenders to sit down, drink a beer, and talk shop. And so it happened that I ended up face to face with an email fraudster. He sat down next to me, openly soliciting help, looking for malware to hack his competition and steal their data. It was his first time at DefCon so we had a little talk about the number of Feds running around the conference and the danger of over-sharing. In fact, I thought he was a Fed himself for a while, but at some point we both established our bona fides.

It was a really interesting conversation, as we were both able to discuss and ask about things that we had been curious about. I explained some stuff about malware and social engineering, and he opened up about his business model. His $10,000 a month hosting fees were surprisingly high, but what really surprised me was his answer to one of my questions about the business. I asked him what the greatest limiter to his business was, and he said it was “new data” – essentially email lists. This really surprised me, because I would have imagined that in 2014 practically every email address in existence is already on lists that should be trivial for any spammer or fraudster to obtain. He assured me that no, getting more and fresher data was the most critical aspect of his business.

Apparently, the longer accounts are targeted, the lower the hit rates. That may seem obvious, but it just wasn’t intuitive to me that not every email address in the world has been harvested somewhere, landing in lists that have been readily available since the days of Shadowcrew. Apparently this guy is making a living – and not a bad one, as indicated by the rolex I saw, the personal trainer he said he had – with under 100M email addresses in his list.

You learn something every day.