A recent pump-and-dump email scam demonstrated that while attackers are evolving all the time, sometimes they rely on some old tricks.
Countless individuals around the globe maintain and rely on email, so what better place for cybercriminals to target?
There are many threat vectors used to generate wealth on the Black Market. Email-borne attacks, for example, come in the form of phishing, spear phishing, Trojans, malicious attachments and hidden scripts. All techniques constantly evolve and quickly adapt to the changing technological landscape in order to stay ahead of security professionals.
But even with the most sophisticated tools at their disposal, attackers have found success using age-old tricks.
Earlier this year, we blocked a massive “pump-and-dump” stock spam campaign that attempted to infiltrate inboxes. If you are unfamiliar with the scam, it goes something like this: Scammers buy shares in a penny stock (usually costing less than $1 per share), and, once they have taken a position on price, they send massive amounts of spam to users around the globe to generate interest in the stock. Believe it or not, there are plenty of unsuspecting people who are willing to make stock purchases based on a “tip” they receive from a source as suspect as an unsolicited email. Once real investors buy shares and “pump up” the stock price, scammers will then “dump” their shares and reap the profits.
This pump-and-dump scheme might sound familiar since it’s nearly indistinguishable from the plot of Hollywood’s blockbuster movie “The Wolf of Wall Street.” The only difference here is that scammers use electronic communication and not cold-calling techniques.
In April 2014, spammers started using the name "Oakmont Stratton" in the From field of their correspondence. Did you just catch the striking resemblance to the firm name Stratton Oakmont, which appears in the recent Scorsese film? We couldn’t help but wonder if those scammers pulled inspiration from the film and felt compelled to impersonate the name. Either way, cybercriminals never fall short on creativity when it comes to piquing public interest.
In one campaign, the sender’s address and message details changed several times a day to avoid detection. (One variation, for instance, referenced “JtMorgan,” to mimic the reputable financial services firm J.P. Morgan.) The spammers’ stock du jour was pitched for much longer than average since they used a remarkable number of variables in the generating algorithm to create enough unique versions of the message for the campaign to run several days.
We quarantined more than 400 million of these messages during the course of the campaign, which lasted 10 days.
In another campaign, spammers pushed Rainbow International Corporation (RNBI) stock. Depending on whom you ask, Rainbow International Corp. is either a mining operations company in Turkey, an organization that distributes boxes and bowls, or a company trying to break into the hemp industry. In any case, the company’s stock was pushed into the spotlight. Spammers bought RNBI stock on or before June 24, 2014, for about 13 cents per share. A botnet, millions of pieces of spam and a short time later the price nearly doubled, to about 23 cents per share.
The SEC has gone after traders who deal with falsely inflated stock scams, but a simple rule of thumb is to never take action on the content of unsolicited emails. This includes clicking links, opening attachments or, in this case, making investment decisions.
Troy Gill is a senior security analyst at AppRiver. Guest blogs such as this one are published monthly, and are part of Talkin' Cloud's annual platinum sponsorship.