Application security, Incident Response, Malware, Phishing, TDR

Sophos: Scammers dropping PDF spam

Research suggests that spammers didn't find the results they were looking for during recent PDF spam spikes, according to anti-virus vendor Sophos.

The Boston-based firm this week reported a dramatic decrease in the amount of spam emails using PDF attachments to spread junk messages, a technique mostly used to spread pump-and-dump scams.

PDF spam was at an all-time high of 30 percent of all junk email on Aug. 7, during the throws of a campaign designed to manipulate the stock prices of Prime Time Group Inc. shares. That percentage has dropped to near zero, according to Sophos.

Ron O'Brien, senior security analyst at Sophos, told today that the email scams were likely not user-friendly enough to make money.

"I think that people weren't opening them," he said. "If you think about your own email habits, if you were to receive a PDF and your Adobe wasn't up to date, you would get a pop-up with about five different options, and everyone would X out of it."

Sophos researchers added that the use of PDF attachments has a number of disadvantages for spammers.

"PDF spam simply isn't as immediate a way of communicating with your intended audience as an instant glimpse of the marketing message in your email client's preview pane," said U.K.-based Sophos analyst Graham Cluley. "Furthermore, have you tried opening a PDF file? Adobe Acrobat chugs into action, taking a fair while to load before it can show you the contents of the PDF. Consumers pretty quickly learn that it's a waste of time to open every unsolicited PDF they receive, which means the spammer's message doesn't get read, and the cybercriminals don't make any money."

MessageLabs reported earlier this month that one in every five image spam emails captured during July contained a scam PDF document.

Mark Sunner, MessageLabs chief security analyst, said at the time that researchers were noticing a shift from the use of traditional image spam emails — containing a masked image in the email's body — to PDF spam.

Researchers from numerous messaging security vendors have said that image spam is difficult to track because it is often spammed out in waves, resulting in wide fluctuation of image spam percentages.

Sophos analysts said it still may be too soon to write off PDF spam.

"Of course, it's too early to say that this is the last we will see of PDF spam. There could still be more campaigns to come — but its dramatic fall may be a sign that we are witnessing its demise," said Cluley.

Click here to email Online Editor Frank Washkuch Jr.

Click here for the latest SC Magazine Podcast – Aug. 27, 2007: A monster (.com) of a data theft

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.