PDF stock spam wreaks havoc

The large-scale PDF-based spam campaign, which started last week, caused a surge in global spam and raised the stock price of the company mentioned, says Sophos.

A large-scale "pump-and-dump" scam has caused a huge spike in spam levels as well as the share price of the company highlighted in the PDF spam campaign, said security vendor Sophos.

The spam campaign has caused a 30 percent surge in the amount of spam caught by its detectors, some 24 hours after it was first detected in Germany last week, the company said in a statement.

"Yesterday, we saw a massive spike in spam coming into our traps," Mark Harris, director of SophosLabs, said in the company's blog on Aug. 8. "Around 4.40pm BST (8.40am PST), a large PDF stock pump-and-dump campaign started which increased the spam seen at [our] customers' gateways by 30 percent."

"The campaign first appeared in our traps in Germany but quickly spread around the globe," Harris said, adding that while " PDF-based spam has been increasing over the past few months", this spam campaign is "unusual [by its] sheer volume".

According to Sophos, the scam aims to "manipulate" the share price of Prime Time Group, a company that sells wireless products to young people. Spam e-mail messages attached with a PDF file were sent to e-mail inboxes worldwide, encouraging its users to purchase the company's shares.

Harris noted in the blog that "the e-mail messages are being sent from compromised home PCs, turned into compromised zombies by hackers".

"Of course there is nothing to suggest that the company in question [has] anything to do with this campaign--it is the sheer size of this campaign [that] makes it noteworthy," Harris said. "To date, the trend has been for smaller campaigns that rapidly evolve and modify themselves to try to get [around] antispam products."

He noted that the campaign was still continuing 15 hours after it started, peaking in volume during the first two hours.

Explaining how the scam would benefit the spammers, the Sophos blog noted that "the spammers have already purchased stock at a cheap price and are trying to artificially inflate its price by encouraging others to purchase more", after which the spammers will then sell off their stock at a profit, which may in turn cause the share price to plummet.

According to Harris, the share price of Prime Time Group has risen by 60 percent since Aug. 3.

"The scale of this stock pump-and-dump spam campaign is like nothing we've seen before, and it looks as though it is working for the cybercriminals behind it," Graham Cluley, senior technology consultant for Sophos, said in a statement. "The share price in this company has rocketed as a result of bogus news being blasted to Internet users worldwide."

"In an attempt to get past antispam products, criminals are now regularly using PDF files to carry their slick enticements for potential investors," Cluley said. "Although a solid antispam defense can protect against this menace, there are plenty of people who still haven't defended their e-mail gateways and are being fooled into making an unwise investment."

On Aug. 10, Sophos noted in an update that the massive spam campaign had mutated slightly. Of the three major mutations, two of them "were to do with characteristics of the MIME message", while the third mutation saw the file name extension changed to FDF (Form Data Format). FDF is an Adobe Form file and is associated with the Adobe Acrobat viewer, the security vendor added.

According to Sophos, pump-and-dump stock campaigns currently accounts for about 25 percent of the world's spam. Earlier this year, the company reported that the U.S. Securities and Exchange Commission (SEC) had suspended trading in 35 companies as they were found to be commonly referenced in pump-and-dump stock e-mail campaigns.

New tricks
On the sharp increase in the use of PDF files to spam and infect e-mail users, Ooi Szu Khiam, senior security consultant at Symantec Singapore, said in an e-mail: "Spammers love playing the cat-and-mouse game by continually looking for new innovative ways to launch spam attacks.

"It's not surprising that spammers are now leveraging PDFs, because they pose similar challenges to ISPs and enterprises as image spam have, such as being hard to decode and twice as large as the overall average message," Ooi added.

According to the security expert, any application with vulnerabilities, not just PDFs can be exploited by hackers, using specially crafted files to embed malware.

Ooi explained: "Files crafted in a specific manner by hackers can use buffer overflows, which is a common attack technique hackers use to inject their own codes into the operating system, in order to compromise a machine."

According to Symantec's latest report, PDF image spam, which emerged in June this year and is on the rise, accounted for between 2 percent and 8 percent of all spam in July. Excel and ZIP files are also "increasingly being used as spam receptacles", Ooi said.

"The extent of spam [e-mail] messages using Excel or ZIP files remains low at this time, but these trends are a good indication of just how committed spammers are to evading antispam filters worldwide," he added.