Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Back to the past with penny stock spam - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Back to the past with penny stock spam

Most of you will remember the penny stock SPAM messages from a fair few years ago.  The main aim of the game is to buy a bunch of penny stock and then do a SPAM campaign to drive buying interest, artifically inflating the price of the stock.  They sell and make their money. It may be a few cents per share, but if you own enough of it can be quite profitable.  Most SPAM filters are more than capable of identifying and dumping this kind of SPAM. 

It looks however like it is becoming popular again.  My little SPAM traps have been receiving a few of these messages over the last few days. 

It is making noise again!!! It Started Moving After this

News!!!

Date: Thursday, Apr 4th, 2013

Name: Pac West Equities, Inc.

To buy: P_WEI

Current price: $.19

Long Term Target: $.55

 

OTC News Subscriber Reminder!!! Releases Breaking News This

Morning!

 

What is old is new again. It might be agood idea to check that your filters are taking care of these for you.

Mark 

(to much Big bang theory before writing ;-) thanks for pointing it out )

Mark

391 Posts
ISC Handler
I remember sending abuse reports about OTCBB/Pink sheets spam directly to the markets that control them. It seems they've changed websites & email addresses a lot since them, so I'm not exactly sure where it should be directed. But here is their contact page: http://www.otcmarkets.com/contactUs and here is a warning from the SEC about these types of scams: http://www.sec.gov/answers/unsolicitedquotations.htm
pogue

17 Posts
If you are using ClamAV, the Sanesecurity sigs have been taking care of these for quite a few days...junk.ndb and scam.ndb databases.

Steve: www.sanesecurity.com
Sanesecurity

21 Posts
Picked up my first of the run on these 3.4.2013:

<snip>
Received: from localhost (localhost.localdomain [127.0.0.1])
by mail.whataboutbob.org (Postfix) with ESMTP id 2AD188D019C
for <threatstop@whataboutbob.org>; Mon, 4 Mar 2013 20:59:43 -0800 (PST)
Received: from 113.172.214.251 (unknown [113.172.214.251])
by mail.whataboutbob.org (Postfix) with SMTP id 79B278D019A
for <threatstop@whataboutbob.org>; Mon, 4 Mar 2013 20:59:38 -0800 (PST)
Received: from unknown (HELO vkyfdy) ([89.113.115.219])
by 113.172.214.251 with ESMTP; Tue, 5 Mar 2013 11:51:37 +0700
Message-ID: <000401ce195c$b51c9d00$597173db@Bubblesvkyfdy>
From: "Jennifer Goodwin" <panty@tc.umn.edu>
To: <threatstop@whataboutbob.org>
Subject: [SPAM] It is on Immediate Alert! This Bull is Positioning for a Major
Run
Date: Tue, 5 Mar 2013 11:45:53 +0700
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="windows-1250";
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Kolab-Scheduling-Message: FALSE
X-Kolab-Scheduling-Message: FALSE

Time to Get Bold... This Company is back on Smallcap!

Date: Tuesday, Mar 5th, 2013
Name: GOLD & GEMSTONE MINING INC.
Tick: GGS_M
Buy at: $0.02
Long Term Target: $0.25

This Stock is Having a Huge Day! Check out!!! Trading On
Heavy Volume Afternoon Breakout Just Starting!!!

Bob Stangarone

9 Posts
Alas, I feel sorry for:

"Jennifer Goodwin" <panty@tc.umn.edu>

who is a "Joe Job" victim -- there's no reason to cite her E-mail ID as "clear" (easily harvested by spammers) text, since there's no proof, within the E-mail headers that you cited, that she has had any role in the distribution of the messages.

Sigh.

Anonymous
pennie?
Anonymous
I've been seeing 2-3 'stock boost' spams a week in my gmail spam folder since November or so.
Eric

12 Posts
JoeJob - do you really think that Jennifer's email address in that message is valid? Take a closer look... it sure appears to be bogus. "panty@xxxxx.edu"? GMAB...
RussM

4 Posts
>> do you really think that Jennifer's email address in that message is valid?
>> Take a closer look... it sure appears to be bogus.

1. Why take the chance that it is valid? Instead, err on the side of caution, and mask it out.

2. You're presuming that students have "American" names like "Goodwin" or "Jennifer". Open your mind to Asian names like "Pan" or "Pant" or "Ty". Or, it could be a long-held nickname, like "Snooki".
Or, it could be a requirement of the U. of Minn. for each student to have an ID, to authorize them for various "restricted-license" online resources at their Library. So, the ID was created, and is used only for "authorization", while the person has a GMAIL or HOTMAIL ID for all their "social" communications. E-mail to 'panty' could be auto-forwarded. Again, including that ID in the posting was not necessary -- it didn't add any "evidence" about the original of the E-mail.

Just leave it out!

P.S. What's a "penny" ? Canada does not have such a coin in circulation. :-)
Anonymous
"Why take the chance that it is valid? Instead, err on the side of caution"

Because it is useful information to have the example in unaltered form, and changing it is more harmful.

Having an example from address enables others to search mail logs for it, to see if impacted, or if more details of the spam origins can be ascertained.

I am not in favor of protecting spammers by obscuring details that are crucial for tracing and correlation.
Mysid

146 Posts
"P.S. What's a "penny" ? Canada does not have such a coin in circulation. :-)"

Neither does the U.S.A. We have a one cent coin but it is commonly called a penny here stemming from British heritage and steadfastly clinging to traditions of the vernacular type.
Alan

57 Posts
I am pretty sure that address is already known by the spammers if it is being used for JoeJobs already, but you are entitled to your opinion. :)
Bob Stangarone

9 Posts

Sign Up for Free or Log In to start participating in the conversation!