Commtouch researchers reported the appearance of pump-and-dump spam in Excel files for the first time on July 21. The spam promotes stocks in file attachments with names such as "invoice20202.xls," "stock information-3572.xls" and "requested report.xls."
"Excel is a logical progression from older formats, and the spammers are always looking for something new to bypass anti-spam engines," said Rebecca Steinberg Herson, senior director of marketing for Commtouch, in Sunnyvale, Calif.
"It used to be spelling tricks, and then the anti-spam engines got more sophisticated and caught on; more recently, spammers have tried sending images, but after a while, many anti-spam engines developed the capability to block this method of spam. Then PDF … so the spammers needed a new format to try," she said.
Commtouch officials said they believe the Excel spam is being sent from zombie computers or machines that have previously been infected by Trojan-type malware. According to Nick Edwards, project manager for Cisco Systems IronPort, based in San Bruno, Calif., the stock volume for the stock promoted by the Excel scammers shot up from fewer than 1,000 shares traded as of the week of July 16 to over 40,000 shares on July 23. This also contributed to driving the price up from about 15 cents per share to 23 cents per share on July 23.
"We definitely see Excel and other attachments as being a growing avenue for spam and viruses," said Willy Leichter, director of product marketing for Tumbleweed Communications, headquartered in Redwood City, Calif. "End users have become so used to sharing files via e-mail and using Outlook as their de facto collaboration tool. But as weve seen before, e-mail wasnt designed around security, and its explosive growth and convenience make it a huge security target."
Malware writers have used Excel as a carrier for viruses in the past, Commtouch officials pointed out. A series of attacks during June and July 2006 exploited vulnerabilities in Microsoft software, including Excel, Microsoft Word and PowerPoint.
Herson said spammers are creative and constantly on the lookout for effective ways to make money from their botnet infrastructure.
"Spammers often first send out a trial balloon in a limited distribution, to see how well the new method works," she said. "If they get a good response rate, then they start sending out bigger waves. So, if we start seeing more extensive use of this format, it indicates that the response rate to this pilot was satisfactory for the spammers."
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.