Application security

Email security vendors see PDF spam spike

Email security vendors reported a spike in PDF spam this week that, because of the size of the messages, increased global spam traffic by as much as a third.

Researchers at Commtouch first reported on Wednesday that PDF spam spiked over a 24-hour period, accounting then for 10 to 15 percent of all spam messages.

Because PDF spam messages are as much as four times the size or traditional spam, the spike increased global spam traffic by 30 to 40 percent, according to researchers at the Commtouch Detection Center.

Spammers are quickly turning their attention to PDF spam because it easily bypasses many existing filters, according to the Israeli messaging security firm.

Menashe Eliezer, head of the spam detection lab at Commtouch, told today that his firm has seen different types of PDF spam, including one containing a virus.

"The first PDF attack was about two weeks ago, and right now, as we speak, we are seeing quite a big spike in PDF spam," he said. "The spam that we saw on Wednesday was a PDF that had clear text with a logo, however, the last one had a random image. We also saw an example, where inside the body of an email, you have a link to a virus and an attached PDF is a stock spam."

Researchers from Symantec said earlier this week that they’ve seen a decrease in image spam coinciding with the discovery of two PDF spam techniques used to push penny stocks.

According to researchers at MessageLabs, the spike indicates that some spammers have given up image spam in favor of PDF spam.

The messaging security company also reported that the storm worm, first seen early this year, is generating the PDF messages and performing DDoS attacks.

Matt Sergeant, senior anti-spam technologist at MessageLabs, told today that this week’s PDF spam spike is "the sort of thing that’s been going on in waves. The way the storm botnet works [is that] it gets repurposed depending on the time of the day."

"The type [of PDF spam] the storm botnet is mostly sending out is taking the images seen in the stock scams and putting them into the PDF. What happens with a lot of this stuff is that if you have a specific file type, a lot of companies will be blocking that file outright," he said.

Sergeant said he was unsure how long the PDF spam influx would last.

"I think time will tell, to be honest," he said. "It’s likely to be one of those things that remains for six months to a year and then will be re-evaluated."

"It’s surprising that image spam went on for so long. Obviously it’s something that works for [spammers]," he added. "And if PDF spam continues to work for them, then you’ll see it for a longer period of time."

Click here to email Online Editor Frank Washkuch.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.