Application security, Incident Response, TDR

MP3 pump-and-dump spam targets inboxes

Crafty spammers launched an overnight wave of pump-and-dump scams, this time delivering junk mail including an audio attachments that when played encourage recipients to buy a penny stock.

Experts today said the new MP3 spam tactic is creative, but it seems to be a natural progression following runs of image, PDF and Excel junk mail earlier this year.

Anti-spam outfits reported Storm Worm-driven MP3 spam runs of about 10,000 emails per hour, accounting for 7 to 10 percent of all unwanted mail in the past 18 hours.

"It was almost expected in the natural order of spam," Paul Wood, a senior researcher for MessageLabs, told SCMagazineUS.com today. "They're just looking for the next big thing, and they've probably found it."

In most cases, the junk mail arrives without text in the body or subject line, and includes an MP3 attachment that employs social engineering to appear like a trusted file. Depending on the message, the file name might be "bspears," "smashingpumpkins," "weddingsong" or "coolringtone."

In actuality, the files contain a recorded 30-second synthetic voice message from a woman who tries to persuade listeners to purchase stock in Exit Only Inc., which does business as Text4Cars.com.

The Santa Monica, Calif.-based company, whose customers are mostly Canadian, is a thinly traded stock that is listed as EXTO on the Pink Sheets, an over-the-counter electronic trading system. This type of business is commonly used in pump-and-dump scams, where even small volumes can move a stock several percentage points.

Text4Cars.com tries to match car buyers and sellers through text messaging, CEO David Dion told SCMagazineUS.com today. He said he runs a legitimate company and is not trying to get rich quick off a scam.

"Why someone is targeting me, I have no idea," he said. "I wish they'd leave my company alone."

Dion said he was told by computer specialists that the attack originated in St. Petersburg, Russia, but was largely being hosted on U.S. computers that had been compromised by the Storm Worm trojan.

But he said the scam is having little success. As of 2 p.m. EST today, only 100 shares had been traded. Dion said he is confident he can track down the culprits.

"I have the shareholder list," he said. "Obviously, if someone who has a position in my stock and wanted it to go up, that person is going to have to get rid of it eventually. If I find these people, I'm going to take whatever legal action I can take."

Dion's predicament is not uncommon for lightly traded companies, and it often leads to negative publicity. In March, the Securities and Exchange Commission (SEC) halted trading on the shares of 35 companies, a notable action considering the Pink Sheets have historically had little regulatory oversight.

The new MP3 spam run has been able to circumvent filters because most solutions have not been tweaked to block spam using this technique.

"The technology wasn't developed with that in mind," David Vella, director of product management for GFI, told SCMagazineUS.com today. "It was always text spam. It was only this year when we started seeing attachments."

The spammers have varied their file sizes – on average 85 kilobytes – and have randomized the sound quality of the recordings to avoid detection, researchers at Commtouch said. The attachments do not contain any malware.

Organizations are advised to block MP3 attachments.

As an alternative, organizations can contact their internet service provider and demand they block the spam before it reaches the gateway, Wood said.

In the meantime, Dion said he has contacted the appropriate authorities, including the SEC, and is trying to stay optimistic.

"This doesn't look good for us, but the company still will go on," he said. "The business has gotten a lot of exposure."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.