Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

'Pump and Dump' Spam Messages

Published: 2005-09-26
Last Updated: 2005-09-26 20:40:43 UTC
by Scott Fendley (Version: 2)
0 comment(s)

Just a quick note for everyone as you return to the office on Monday morning.  There have been a few reports of a new spam message that has been getting thrown out on the net over the weekend that will have security implications for some. `Pump and Dump' spam messages are email messages that appear to give the reader an insiders edge to a particular stock that will have some amazing growth.  The people involved in this spam have undoubtedly bought many shares of the stock ahead of time and will dump them after unsuspecting users push the stock price up with their purchases. This type of spam has been around for a while, and usually doesn't make it to my inbox that often.  However, since Saturday morning I have had upwards of 100 reach one of my older email addresses, and many more have been sent in to the postmaster and abuse addresses.

However, upon looking closely at the headers and looking at a very high end view, this appears to be related to exploitation of some type of cgi or php application.  After exploitation, the attacker can proxy, or otherwise relay their junk mail.  Unfortunately, I have not been able to get close enough to one of these relay machines to determine precisely what application has come under fire.

So, if you find that your company has had a large uptick in `pump and dump' spams, know that you are not the only ones.  If you find webserver logs, or better yet, an actual compromised host that was sending out this junk, then please let us know what application it is that is being exploited.

[Update - 20050926 - 2000 UTC]  --

There are several theories about what is how the spam was being sent out.  Most of them revolve around the concept of a set of zombies that were targeted at a set of domains and email addresses.  We have had at least one report from a supposedly compromised owner that had in fact been hit through a vulnerable cgi program.  In general, we still don't know exactly which one it was and hope that one of the domains that actually was exploited will  help shed light on this.

With that said, there is a very interesting graph that involves the stock of the company being spammed about.  Take a look at Yahoo Finance Website for TOTG   The company in the past several days has had very small volume and little fluxuation in their prices.  If you look at the historical records it shows this as well, with the exception of  Septermber 12th.  1.2 Million in shares exchanging hands which is what pumped the stock  out of the ~40-60 cent range to the dollar range.  For future viewers, here is the 5-day historical graph for this company.




Judging by what I am seeing, it appears that there are a lot of greedy people out there who are willing to listen to "insider information" sent to them in spam.  NOTE:  I am not saying that anything about the 2-Track Global corporation.  It is my opinion that until someone is found to do something fraudulent within their company, that they are a bunch of good guys and have become the victims of this activity.  I have forwarded copies of some of the emails to the SEC for their follow-up, and I hope that they are able to follow the money to the real criminal(s).

Scott Fendley
ISC Handler
Keywords:
0 comment(s)
Diary Archives