Spammers launch MP3 pump-and-dump campaign

Security experts expect mass mailings of MP3 spam to become more frequent and pose an increasing malware threat to users

Spammers have launched the first mass MP3-attached pump-and-dump spam campaign, which security experts say could be used to distribute malware.

The spam contains no text or subject header while the attached MP3 files, according to security firm Sophos, are named after popular artists such as Elvis Presley, Fergie or Carrie Underwood.

However, rather than the file playing music from the artist when opened, a message is read in a synthesised female voice, promoting the stocks of Exit Only Incorporated. Paul Ducklin, Sophos's head of technology, said the voice sounded like a female version of "Marvin the Paranoid Android", a character from The Hitchhiker's Guide to the Galaxy by Douglas Adams.

If the file is opened, listeners will hear: "Hello, this is an investor alert. Exit Only Incorporated has announced it is ready to launch its new website. Already a huge success in Canada, we are expecting amazing results in the USA."

Ducklin said the spammers had "not quite got it yet" with this iteration of MP3 spam.

"The problem with MP3 spam — as with image files and PDF — is the files tend to be much larger, so there are extra costs associated with carrying it," said Ducklin.

So far, the MP3 file has not been used to distribute Trojans or viruses, but this could change. Ducklin said JPEG and WMF (Windows Media Format) files are regularly exploited to deliver malicious executable files. "There was a time when Windows vulnerabilities allowed files to contain shell code — executable programs — and use buffer flows to enter the system… It's not impossible that vulnerabilities in some MP3 [software] would allow you target it with exploit code," said Ducklin.

However MessageLabs' product marketing manager, Philip Routely, said he would expect, if the MP3 was used to transmit malware, it would actually occur by renaming a file extension to make the recipient believe they are receiving an MP3 file.

"There's nothing to say that the same attacker can't make an [executable file] look like a MP3 file. If the attacker changed the file extension, a recipient could double click on it and, while nothing appears to be happening, it's downloading malware in the background," said Routely.

Kaspersky Labs' director of security outsourcing, Andrey Nikishin, said he expects MP3 mass mailings to increase in the future.