Pump-and-dump bot war?

Security researchers are seeing signs of gang warfare among pump-and-dump spam scammers.

Security researchers are seeing signs of gang warfare among pump-and-dump spam scammers.

In one scenario spotted by Websense Security Labs, two separate spam runs were launched earlier this week, attempting to lure targets into buying a penny stock.

It was the usual image spam that included a Web forum component where the stock was also being pumped on financial newsgroups and Web forums.

However, according to Websense, the second spam message -- sent hours after the original -- had a noticeable link embedded at the top. The link pointed to a compromised Web server that was rigged with a downloader from a do-it-yourself malware creation kit called "RootLauncher."

RootLauncher, which is available for sale at underground hacker sites, includes scripts that simplify the task of infecting computers and sending sophisticated spam e-mail).

Websense discovered that the malicious code that gets downloaded and run has the sole purpose of turning making the target machine inoperable. "[It] does nothing except reboot your machine over and over. Users have to boot into safe mode or off a disk and clean the machine in order to make it work again," the company explained.

This is a clear sign that the second spam run is not affiliated with the first. As Websense speculates, the motive behind disabling the victim's computer might be linked to the fact that a competing spam group wants to prevent the sale of the penny stock after it had been purchased.

It could also mean that a rival bot herder took control of a botnet and modified the e-mail with the added link, all part of a plot to disrupt the scam.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All