Stock spam PDF
On 20 June 2007, a new type of stock spam was seen in the wild.
Stock spam campaigns (also known as 'pump-and-dump' scams) are spam campaigns which encourage people to invest in a particular company's stock, in order to quickly inflate its value and enable the spammers to make a fast profit. Stock spam has become more and more popular recently, making use of various techniques such as: plain text, text inside an image, and images with various variations of techniques to prevent optical character recognition (OCR) scanners identifying dubious mails as spam.
The latest trend in this type of spam is to send PDF documents instead of an image. The fraudsters are counting on the fact that no filter in the world is expecting a PDF document to be a spam. In this case the PDF document comes attached to an email with a body containing only junk text which is used to trick spam filters.
Unlike other spam, the purpose of stock spam is not to make the recipient buy a product or service provided by the spammer. Instead, stock spams promote the stock of genuiune companies (usually unbeknown to the companies in question), labelling the messages as 'hot' stock tips. The emails usually take the form of friendly 'advice' on the prospects of a targeted company. This comes along with real price quotes and share buying recommendations. The intended result is for the stock price of the company to increase in value due to recipients of the spam messages buying the stock. Once the stock price has increased sufficiently the fraudsters will sell their shares with profit.
In this particular case the subject line of the email, 'Fw: <name>_report.pdf', even contains the recipient's name, for example: 'Fw: robert_report.pdf'. This spam relies on human curiosity to open a document which at first glance seems to be generated specifically for the user receiving the email. Even though the content of the PDF is in English it specifically targets German readers with expressions like 'we are expecting our German readers to jump on board'.
All documents received so far in our spam traps have been identical - which means that, so far, no randomizations techniques have been used by the spammers. We expect to see this new technique being used more frequently within the next days with slightly different content and various different improved techniques.
We strongly advise computer users never to buy any stocks that have been advertised by using spam techniques.
Sorin Mustaca, Avira
Oliver Auerbach, Avira
Virus Bulletin currently has 230,977 registered users.