PDF Spam Continues to Spew

An apparent "pump and dump" scam has generated nearly 500 million spam e-mail messages in the space of six days. According to Ron O'Brien, security researcher at Sophos, an anti-spam vendor, the company has seen a 30 percent increase in spam related to this scam alone. That's pretty remarkable. The

An apparent "pump and dump" scam has generated nearly 500 million spam e-mail messages in the space of six days.

According to Ron O'Brien, security researcher at Sophos, an anti-spam vendor, the company has seen a 30 percent increase in spam related to this scam alone. That's pretty remarkable. The spam in this scam also uses a PDF to sneak past anti-spam filters as I've covered previously. Adam Swidler, a senior manager at message security company Postini, said that one of several Postini systems that filters spam went from 384,000 messages per second to 976,000 message per second. According to Swidler, the attack is "very sophisticated, tightly written, debugged with reporting and performance tools." Swidler sited proprietary concerns about revealing how the Postini system was removing this zero-day PDF spam attack. However, he said that Postini customers were protected from receiving the spam. Doug Bowers, a senior anti-abuse engineer at Symantec, said they observed a spike in PDF-based spam starting at 7:00 a.m. on Tuesday, Aug. 7. Smith was also cagey about how Symantec anti-spam products were stopping the PDF spam except to say that a combination of fuzzy signature matching and sender reputation were being used to quarantine the spam messages. Smith said the spam is "botnet-delivered using techniques to randomize the PDF content. The spammers are doing some interesting things."

Aside from being delivered as a PDF, the format and content of the spam message isn't that unusual. Neither was the target company, Prime Time Group, a small company that trades "over the counter." The first page of the message pumps up Prime Time. The rest of the message appears to be random characters.

Sophos researchers suspect that the nine pages of junk text in the PDF are designed to throw off checksum detection.

O'Brien thinks there is a correlation between this scam and a wave of malware sent out over July 4th, which was also tracked by Sophos. One scenario has the July 4th malware wave laying out the botnet that is now being used to send the scam spam.

After reading the sample spam message captured by Sophos, it's relatively easy to see how investors might be taken in by the spam. From what I could tell from a cursory look at Prime Time's site, the news of store openings in Puerto Rico was true.

It's also true that following the Security and Exchange Commission's advice on how to avoid a "pump and dump" scam would likely help those who might otherwise be taken in by the spam message.

Editor's Note: This blog was updated to include information and comments from a security manager at Postini and an engineer at Symantec.