Stock spam PDF

June 2007

On 20 June 2007, a new type of stock spam was seen in the wild.

Stock spam campaigns (also known as 'pump-and-dump' scams) are spam campaigns which encourage people to invest in a particular company's stock, in order to quickly inflate its value and enable the spammers to make a fast profit. Stock spam has become more and more popular recently, making use of various techniques such as: plain text, text inside an image, and images with various variations of techniques to prevent optical character recognition (OCR) scanners identifying dubious mails as spam.

The latest trend in this type of spam is to send PDF documents instead of an image. The fraudsters are counting on the fact that no filter in the world is expecting a PDF document to be a spam. In this case the PDF document comes attached to an email with a body containing only junk text which is used to trick spam filters.

Unlike other spam, the purpose of stock spam is not to make the recipient buy a product or service provided by the spammer. Instead, stock spams promote the stock of genuiune companies (usually unbeknown to the companies in question), labelling the messages as 'hot' stock tips. The emails usually take the form of friendly 'advice' on the prospects of a targeted company. This comes along with real price quotes and share buying recommendations. The intended result is for the stock price of the company to increase in value due to recipients of the spam messages buying the stock. Once the stock price has increased sufficiently the fraudsters will sell their shares with profit.

In this particular case the subject line of the email, 'Fw: <name>_report.pdf', even contains the recipient's name, for example: 'Fw: robert_report.pdf'. This spam relies on human curiosity to open a document which at first glance seems to be generated specifically for the user receiving the email. Even though the content of the PDF is in English it specifically targets German readers with expressions like 'we are expecting our German readers to jump on board'.

All documents received so far in our spam traps have been identical - which means that, so far, no randomizations techniques have been used by the spammers. We expect to see this new technique being used more frequently within the next days with slightly different content and various different improved techniques.

We strongly advise computer users never to buy any stocks that have been advertised by using spam techniques.

Sorin Mustaca, Avira

Oliver Auerbach, Avira

Phishing and spam
techniques

Nigerian

Blogspot spam

Meta phishing

Stock spam PDF

Advanced fee fraud or phishing?

The return of the animated spam

Do 'pump and dump' spam campaigns really work?

'Mini' phishing

Pay per click

Broken link

Bye bye OCR?

Poll

Should anti-virus software be free for personal use?

Leave a comment
View 43 comments

VB100 certification

VB's testing team put 24 anti-malware products to the test on the server version of Microsoft's latest iteration of the Windows platform: Windows Server 2008. John Hawes has all the details on which products managed to secure a VB100 award and which need have a little more work to do.
See full results.

Virus Bulletin currently has 144,119 registered users.

Fighting malware and spam

Stock spam PDF

Nigerian

Blogspot spam

Meta phishing

Stock spam PDF

Advanced fee fraud or phishing?

The return of the animated spam

Do 'pump and dump' spam campaigns really work?

'Mini' phishing

Pay per click

Broken link

Bye bye OCR?

See also

Phishing and spam techniques

Resources

Poll

VB100 certification