Biggest Pump-and-Dump Scam Ever Spikes Spam 445%

The largest spam scam ever tracked increased the spam count by 445 percent in one day.

The largest spam attack ever tracked wound down Aug. 9 after delivering enough big, fat PDF files to increase total spam size 445 percent in one day, according to Postini, a hosted e-mail filtering company thats been tracking the attack since it started Aug. 7.

Postini tracked a 53 percent jump in spam volume from the day before the attack started to the day it launched, according to Senior Marketing Manger Adam Swidler, in San Carlos, Calif.

Why it stopped is a mystery, but more than likely it wound down because it was a spam run being conducted on a rented bot network, Swidler said. "Presumably … [the] rental time ran out," he said.

How much would renting that botnet have cost? PandaLabs recently released research into the malware market. It suggested one scenario in which a criminal could buy a Trojan for $500, a 1 million-address mailing list for about $100, a $20 encryption program, and a $500 spamming server. The total outlay in this theoretical example would be $1,120. (For PandaLabs screen grabs showing what the market looks like, check out the slideshow.

The attack entails a straightforward pump-and-dump spam scam with no virus payload. Experts at SophosLabs said they had detected around 500 million e-mails with PDFs that recommend buying the stock of Prime Time Group.


Click here to view an eWEEK slideshow on how the gullible get sucked into "scam-spam."

Writing on the Sophos blog Aug. 8, SophosLabs Director Mark Harris noted that the PDF is actually 10 pages long. Toward the end of the file it contains random characters, which Harris suggested might be an attempt to fool simple checksum detection.

Prime Time, the subject of the stock pump, did see its stock rise 60 percent as of Aug. 8. It was up 20 percent as of Aug. 9, compared with its pre-spam scam price.

The stock fluctuation clearly shows that pump-and-dump scams work. "Taking a look at the stock price shows why these campaigns continue," Harris wrote in his posting. "The share price of this particular company has risen by 60 percent since [Aug. 3], so while recipients of this type of spam continue to try and profit on these Tips stock, spam will continue."

Pump-and-dump scams are a numbers game, Swidler said. While there are people who might well believe whatever the spam author tells them as to the value of the stock, there are also plenty of people who know what the spammer is up to and just decide to ride along, buying stock and then hoping to ride the increase and then cash out before the stock gets dumped en masse, he said.


To read more about why we click on spam, click here.

The spammers might be long gone by now, in fact. "The stock was up 20 percent [Aug. 7]," Swidler said. "The spammers might have gotten out when they made 10 percent profit."

Postini is also tracking a prolonged virus attack that started July 16 and is still under way. Ninety-nine percent of the activity can be traced to delivery of the Storm worm.

The Storm worm, aka the Peacomm Trojan, initially wreaked havoc via a massive spam e-mail attack in January, and then in February spawned a variant that used instant-messaging platforms to spread.

During the week of April 9, researchers noted the return of the Storm worm, as more than 2 million spam e-mails arrived carrying the latest variant. The initial wave of spam used recent real or fake news headlines to convince users to execute malicious files, while the later Storm surge used e-mail subject lines claiming "Trojan Detected!" or "Worm Activity Detected!"

Postini has seen about 715 million e-mail messages—or about 30 million daily—carrying the Storm worm since this most recent attack began. Thats about 30 times the amount of Storm e-mail messages tracked prior to this particular attack. Now ongoing is a blended attack: instead of attaching the virus as a payload, the e-mail points to a site thats hosting malware, which then gets downloaded to the victims system.

If youre wondering what the spam scam attack and the Storm attack have in common, its the rise of the botnet thats at the bottom of both, Swidler said.


Read here about the new tool Symantic is using to bat botnets.

"[Botnets are a] big reason, if not the primary reason, why spam is up so dramatically," he said. "Its up 51 percent over the beginning of 2007. Since September 2006, the volume has increased 161 percent."

Specifically, botnets are responsible for both sending out the spam e-mail and for sending the viruses that infect systems and make them easy prey for being recruited as bots into bot networks, he said.

Postini thinks it will get worse, given the upcoming holiday season and the traditional spike in people going online to do their holiday shopping, Swidler said.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.