Monday, September 24, 2007 9:01 AM
cmosby
Symantec Security Response Weblog: Pump-and-dump stock morphs again
Pump-and-dump stock morphs again
Pump-and-dump stock, or penny stock, spam has been around for a long time. Most memorably it has the distinction of being the main deliverable of image spam. Regardless of the morphing or variations it is still pump-and-dump stock and while we're not stock advisors we would advise against it, unless you like parting from your money.
The most recent morphing we've observed over the past few days includes highly obfuscated messages with a few distinctive features. For starters, none of the message headers in the attack contain a subject line. This means that when it lands in your inbox there will be no subject line for the message. Spammers may be utilizing this tactic as a means to entice end users to open the message by banking on the curiosity of an end user to open the mysterious message. There is a subject line in the body of the message. The spammer is most likely doing this for obfuscation purposes.
Other features of this pump and dump attack are the inclusion of random, alphabetized email address in the body and then an additional set of headers (in the body) followed by the penny stock that is being pumped.
Text Body Sample:
Subject: hx-pn s m i l e s
Date: Tue, 25 Sep 2007 21:10:32 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0040_01C7F9F5.098DA510"
aname@domain.com
abname@domain.com
acname@domain.com
H...X...P...N----p...k....
Yestrday@0.15
Curent@0.17
/0.30@day5
/0.60@day10=20
The text portion of the message displays the penny stock and the current price. The html for this attack is showing a new twist by inserting the price of stock symbol in "mailto:" format in a place that would usually be reserved for urls.
Html body sample:
<BR>Q*C*P*C-pk<BR>Q~C~P~C <BR></FONT><A=20
href=3D"mailto:Current@0.002/0.01@day5/0.02@day10"><FONT=20
size=3D2>Current@0.002<BR>/0.01@day5</FONT>
Posted by Kelly Conley on September 24, 2007 05:00 AM
Source: Symantec Security Response Weblog: Pump-and-dump stock morphs again
Filed under: Spam\Phishing