Pump-and-dump stock morphs again

Pump-and-dump stock, or penny stock, spam has been around for a longtime. Most memorably it has the distinction of being the maindeliverable of image spam. Regardless of the morphing or variations itis still pump-and-dump stock and while we're not stock advisors wewould advise against it, unless you like parting from your money.

The most recent morphing we've observed over the past few daysincludes highly obfuscated messages with a few distinctive features.For starters, none of the message headers in the attack contain asubject line. This means that when it lands in your inbox there will beno subject line for the message. Spammers may be utilizing this tacticas a means to entice end users to open the message by banking on thecuriosity of an end user to open the mysterious message. There is asubject line in the body of the message. The spammer is most likelydoing this for obfuscation purposes.

Other features of this pump and dump attack are the inclusion ofrandom, alphabetized email address in the body and then an additionalset of headers (in the body) followed by the penny stock that is beingpumped.

Text Body Sample:

Subject: hx-pn s m i l e s
Date: Tue, 25 Sep 2007 21:10:32 -0700
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0040_01C7F9F5.098DA510"
aname@domain.com
abname@domain.com
acname@domain.com

H...X...P...N----p...k....
Yestrday@0.15
Curent@0.17
/0.30@day5
/0.60@day10=20

The text portion of the message displays the penny stock and thecurrent price. The html for this attack is showing a new twist byinserting the price of stock symbol in "mailto:" format in a place thatwould usually be reserved for urls.

Html body sample:

<BR>Q*C*P*C-pk<BR>Q~C~P~C <BR></FONT><A=20

href=3D"mailto:Current@0.002/0.01@day5/0.02@day10"><FONT=20

size=3D2>Current@0.002<BR>/0.01@day5</FONT>