Spammers started delivering spoken messages on Wednesday night, the newest twist on the ongoing pump-and-dump scam, say several security researchers.
According to analysts, the spam is coming from the individual or gang responsible for the Storm Trojan, and is being sent from a piece of the Storm-built botnet that was recently split off from the core group of compromised computers.
Around 5:30 pm (EDT) on Wednesday, security vendors, including SecureWorks and MessageLabs began noticing a wave of spam using MP3 audio file attachments to dupe recipients into investing in a penny stock. The spam run was still in operation as of noon (EDT) on Thursday, says Paul Wood, an analyst at MessageLabs, with the volume holding steady at about 10,000 messages per hour. "It's been going on now for about 18 hours," says Wood. "That's pretty unusual."
Analysis done by Sophos, another UK-based security company, reported that the spam often lacks subjects or even text in the body of the messages. Instead, the spammers pin their hopes on the MP3 filenames, which purport to be tunes from singers as wildly different as Fergie, Elvis and Carrie Underwood. The MP3s are of poor quality — encoded as 16Kbit/sec audio — and feature a synthesized female voice reading the pump-and-dump pitch.
"Hello, this is an investor alert," the voice says. "Exit Only Incorporated has announced it is ready to launch its new text4cars.com website, already a huge success in Canada; we are expecting amazing results in the USA. Go read the news and [obscured] on EXTO. That symbol again is EXTO. Thank you."
In a classic pump-and-dump, criminals tout shares of one or more lightly traded companies as hot and ready to climb. The fraudsters, however, have already bought shares, and spam their shills to get others to buy in. If enough do, the price goes up, and the scammers sell. The dupes are left holding the bag when the price later plunges.
"They've given the synthesized voice slightly different parameters so it speaks faster or slower to make the file sizes different," says Joe Stewart, senior security researcher at SecureWorks. "Sometimes when it gets to the end of the talk, it repeats part of it to try to make it harder for filters to catch."
Both Wood and Stewart said that the spam is the first to actually use audio. Although other campaigns have included attachments that posed as MP3s, they were actually image files, Wood says. But whether the spoken word is as effective as text in convincing people to buy dubious stocks remains to be seen. "I wouldn't think it would [be], but we'll have to wait to see if the stock actually goes up," says Stewart.
The pitch delivered by the robotic voice is for Exit Only, a company listed on Pink Sheets, which runs a web-based sales operation for new and used vehicles. As of 1pm EDT, Exit Only shares were up 1 cent, or 2.5%, to 41 cents.
Stewart was certain that the spam originated with Storm's maker or makers. "The stock being pumped is the same one we saw the botnet send as text [spam] yesterday," he says. "The samples I have came from the botnet secured with the 40-byte encryption," he adds, referring to a subset of the 200,000-plus PC botnet built by the Trojan Horse. Earlier this week, Stewart and other security professionals said that the addition of encryption to the newest Storm variant indicates that the hackers are getting ready to sell off parts of their collection, and are using the command-and-control traffic encryption to splinter the botnet into smaller, more salable chunks.
Spammers are constantly changing tactics to stay ahead of spam blockers and gateway filters, Wood says. Already this year, scammers have used image files, PDFs and Microsoft Excel spreadsheets to deliver their spiels. "What may be a success for them one week may fail the next," Wood says. In fact, based on past practice, Wood says he could predict the next move. "When they used image spam, they eventually put it on a website, using a free hosting service, and then used links to draw people there," he says. "The next logical step here is perhaps hosting the multimedia content online."
Tallies made by Commtouch, a Sunnyvale, Calif., security company, peg the new talking spam as accounting for between 7% and 10% of all spam sent worldwide in the past 18 hours.