Posted on behalf of Mathew Nisbet, Malware Data Analyst, Symantec Hosted Services “Pump-and-dump” stock spamming is a technique that has been around for a long time now, where spammers attempt to artificially raise the price of a particular company’s shares. It was extremely popular throughout 2007 and the early part of 2008, but after that it dropped off to almost nothing. However, on the 14th December it returned in large volumes, being sent out by the Donbot botnet. Throughout 2009 there has been very little ‘stock spam,’but when Donbot ramped up its activity on the December 14, it pump and dump scams shot up to over 4.5% of spam for that day, which is an estimated 5 billion messages globally (based on the Symantec average daily spam volume estimate for 2009), in just one day. The purpose of these “pump-and-dump” emails is simple: try to gain the interest of potential investors and encourage them to buy stock in low value companies, which will then drive up the share price. The people behind the spam will have already purchased their stock and when the stock rises in price, they sell and make a big profit. This is an example of the current run: As you can see, it is well written, and aims to gain the interest of potential investors. You can also notice that there are no links or attachments in this mail, there is no direct action called for, it is just thrown out in large volumes to try and gain the interest of as many people as possible – hence the name pump-and-dump. Also popular at the moment are the following festive spam runs: 1) Pharmaceutical spam: It has always there, but the spammers have been getting into the holiday spirit with a festive makeover of their websites. The botnet most responsible for this is Cutwail, with the emails having subjects like “Deal of the Day: Save 73%”. The body of the mail then simply repeats the subject and gives a link to their website. 2) “Russian Bride” Web sites: The email arrives with subject along the lines of “Marry a gorgeous Russian girl.” or “Still single? Look at my profile, Olga from Russia”. The email body then contains a link to a Weblog page with the image below, which is a screenshot of the website the user is taken to if they click on the image. This run is coming mainly from the Rustock botnet. 3) Replica watches, handbags and jewellery: Also from the Cutwail botnet, the spammers have been hoping to cash in on the December holiday spending rush. Very similar in style to the pharmaceutical spam, these emails have subjects like “100s of [Insert Brand Name] Watches and Handbags 50% Off” with a body that repeats the subject and gives a link to the website. Notice the website has also had a festive makeover, offering special “holiday season” deals.