Storm gang spammers pump up volume with major spoken scam slam

Storm botnet delivers MP3 attachments that read pump-and-dump pitch

Spammers started delivering spoken messages mid-week in the newest twist on the ongoing pump-and-dump scam, several security researchers said.

According to analysts, the spam is coming from the individual or gang responsible for the Storm Trojan, and is being sent from a piece of the Storm-built botnet that was recently split off from the core group of compromised computers.

Around 5:30 p.m. (EDT) Wednesday, security vendors, including SecureWorks and MessageLabs began noticing a wave of spam using MP3 audio file attachments to dupe recipients into investing in a penny stock. The spam run was still in operation as of noon (EDT) Thursday, said Paul Wood, an analyst at MessageLabs, with the volume holding steady at about 10,000 messages per hour. "It's been going on now for about 18 hours," said Wood. "That's pretty unusual."

Analysis done by Sophos, another U.K.-based security company, reported that the spam often lacks subjects or even text in the body of the messages. Instead, the spammers pin their hopes on the MP3 filenames, which purport to be tunes from singers as wildly different as Fergie, Elvis and Carrie Underwood. The MP3s are of poor quality -- encoded as 16Kbit/sec. audio -- and feature a synthesized female voice reading the pump-and-dump pitch.

"Hello, this is an investor alert," the voice says. "Exit Only Incorporated has announced it is ready to launch its new Web site, already a huge success in Canada; we are expecting amazing results in the USA. Go read the news and [obscured] on EXTO. That symbol again is EXTO. Thank you."

In a classic pump-and-dump, criminals tout shares of one or more lightly traded companies as hot and ready to climb. The fraudsters, however, have already bought shares, and spam their shills to get others to buy in. If enough do, the price goes up, and the scammers sell. The dupes are left holding the bag when the price later plunges.

"They've given the synthesized voice slightly different parameters so it speaks faster or slower to make the file sizes different," said Joe Stewart, senior security researcher at SecureWorks. "Sometimes when it gets to the end of the talk, it repeats part of it to try to make it harder for filters to catch."

Both Wood and Stewart said that the spam is the first to actually use audio. Although other campaigns have included attachments that posed as MP3s, they were actually image files, Wood said. But whether the spoken word is as effective as text in convincing people to buy dubious stocks remains to be seen. "I wouldn't think it would [be], but we'll have to wait to see if the stock actually goes up," said Stewart.

The pitch delivered by the robotic voice is for Exit Only, a company listed on Pink Sheets, which runs a Web-based sales operation for new and used vehicles. As of 1 p.m. EDT, Exit Only shares were up 1 cent, or 2.5 percent, to 41 cents.

Stewart was certain that the spam originated with Storm's maker or makers. "The stock being pumped is the same one we saw the botnet send as text [spam] yesterday," he said. "The samples I have came from the botnet secured with the 40-byte encryption," he added, referring to a subset of the 200,000-plus PC botnet built by the Trojan Horse. Earlier this week, Stewart and other security professionals said that the addition of encryption to the newest Storm variant indicates that the hackers are getting ready to sell off parts of their collection, and are using the command-and-control traffic encryption to splinter the botnet into smaller, more salable chunks.

Spammers are constantly changing tactics to stay ahead of spam blockers and gateway filters, Wood said. Already this year, scammers have used image files, PDFs and Microsoft Excel spreadsheets to deliver their spiels. "What may be a success for them one week may fail the next," Wood said. In fact, based on past practice, Wood said he could predict the next move. "When they used image spam, they eventually put it on a Web site, using a free hosting service, and then used links to draw people there," he said. "The next logical step here is perhaps hosting the multimedia content online."

Tallies made by Commtouch, a security company, peg the new talking spam as accounting for between 7 percent and 10 percent of all spam sent worldwide in the past 18 hours.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?