in

si

gh

t10

Info

security To

day

September/O

ctober 2006

The medium may be new, but thetechnique is decades-old. Since

the start of last year, spam promotingshares — stock spam — has grownfrom 0.8% of all junk email to 15%now, according to UK IT security firmSophos. Ed Macnair, chief executive ofemail management company Marshal,says his firm has seen such spam forfour years, but agrees it has explodedin volume over the last 12 months.

Those wanting to move a stockprice for their own ends — usually to‘pump and dump’, hyping a companyso as to offload previously-purchasesshares at a profit — have usedtelegrams, letters, telephone calls andnewspaper columns to do so. PaulBaccas, spam researcher at SophosLabs, describes one historic tech-nique:“talking very loudly in bars andrestaurants, saying ‘I'm going to put amillion into this company’. It works”.

Stock spam can work too, although itis a short-term investment, and not forthe faint of heart.An academic workingpaper by Rainer Böhme and ThorstenHolz,* based on 7,606 stock spam mes-sages on 111 companies with availablestock-price data, reports an aggregatedcumulative abnormal return on aspammed company's share-price of+1.7% on the day of the attack, withthe effect dropping into negative terri-tory on the fourth day afterwards.

Another such paper by LauraFrieder and Jonathan Zittrain,** basedon 75,415 messages concerning 307companies, found that those who re-spond to touting lose on average5.25% in two days. However, thespammer buying a day in advanceand selling after one day of toutingmakes an average of 4.9%.

This finding supports the conclusionof Böhme and Holz, that ‘the business

model for stock spam actually works’.But as Frieder and Zittrain suggest, itonly works for the spammers!

Joshua Cyr (http://www.spamstock-tracker.com/) has tracked a virtualportfolio containing 1,000 shares ‘pur-chased’ when he received stock spamfor that company: from May 2005 tolate August 2006, this portfolio hadturned $71,000 into $24,000.A simi-lar exercise by Marshal, starting earlythis year and tracking around 20spammed stocks, turned $53,163 into$39,346.“In most cases we've seen,this has had a very damaging effecton the company's share price,” saysMarshal's chief executive Ed Macnair.

Neither the portfolios nor the aca-demic papers factored in the oftenwide differences in purchase and saleprices experienced with lightly-tradedstocks, making losses even greater.

Our sampleOver five weeks in July and August,Infosecurity Today found 22 compa-nies were mentioned in a small sampleof just over 200 stock spam received.None have a primary listing on stockexchanges: 16 are traded through thePink Sheets system, which tracks theprices of small unlisted stocks and the

other six are on the OTC BulletinBoard, which is regulated by the USSecurities and Exchange Commission(SEC), and requires an intermediate lev-el of financial reporting.The firmstracked by Böhme and Holz had a simi-lar 2 to 1 split between two systems(Frieder and Zittrain looked only atPink Sheets firms), although three ofthe 22 in our sample are also listed onthe Frankfurt stock exchange.

16 of the firms are US-based, threeCanadian with one each from China,Korea and Singapore.Marshall estimatesthat about 70% of stock spam ultimate-ly originates from North America, al-though the use of botnets to forwardsuch email clouds the issue.Macnairsays that the growth of share trading ineast Asian countries could increasinglymake their companies targets.

The companies appear to be small: ofthe five with market capitalization fig-ures available through Nasdaq.com (alllisted on the OTC Bulletin Board), fourwere worth between $6 to $29 million,with one,Quantum Energy rather larger

Since the end of 2005, share-promoting spam has been cramming ouremail. Steven Mathieson investigates this phenomenon.

Hot stocks toyour inboxSA Mathieson

“We've seen smarttraders who

understand there is ascam going on, but

if you get in fastenough and get out

before the wholething crashes, you've

made money”

From the gilded age of WallStreet‘These people used to send out tips tobuy or sell a certain stock - hundreds oftelegrams advising the instant purchase ofa certain stock and hundreds recommend-ing other customers to sell the samestock, on the old racing-tipster plan.’ (Ona firm accepting bets on share move-ments in the first half-decade of the 20thcentury)‘It has always seemed to me the height ofdamfoolishness to trade on tips... I some-times think that tip-takers are like drunk-ards... It is not so much greed made blindby eagerness as it is hope bandaged bythe unwillingness to do any thinking.’

Edwin Lefèvre, Reminiscencesof a Stock Operator, 1923

in

si

gh

t12

Info

security To

day

September/O

ctober 2006

at $156m.The prices of smaller capital-ization stocks take less effort to move,making them more vulnerable to apump and dump campaign.

Quantum Energy, GoldmarkIndustries, KMA GlobalSolutions, PetroSun DrillingFour of the 22 firms made recent ef-forts to disassociate themselves fromthe stock spam, through issuing a pressrelease. Nevada-based oil firm QuantumEnergy stated on 8 August:“Under nocircumstances has the Company or anyperson or group associated with theCompany participated or acquiescedwith this SPAM activity...This SPAM is areprehensible activity carried out byunknown parties.”The others wereUS/Canadian entertainment firmGoldmark Industries, US electronic sur-veillance label maker KMA GlobalSolutions and US oilfield services start-up PetroSun Drilling.All were ap-proached for further comment, butnone responded.

Some stock spam emails use plausi-ble names and subject lines such as“FWD: ticker watch” or “Trader alert”,but many do not — one title line read‘marketing holmium thulium erbium’ -and other spam indicators suchchunks of irrelevant text and odd for-matting, to confuse spam filters, areoften present.

Just like the real thing!However, the main content is oftenwell-presented, aping the format ofstock analyst reports — although thekind written by analysts under thecombined impact of a dot com boomand six double espressos.“Could thisbe the next Exxon?” asks one ofPetroSun Drilling, which opened inJune 2005 and had net income to the

end of the year of $21,495. In the sec-ond half of 2005, ExxonMobil — theworld's largest company by marketcapitalisation — had net income of$20.63 billion.A few even have dis-claimers: one ends with ‘WARNING:You can lose all your money by in-vesting in this stock.’

Sophos' Paul Baccus says the credi-bility of the emails is important.“Theproblem they have is that if they wantto make money, they have to look legit-imate,”he says.“You wouldn't trust astockbroker who couldn't spell stock.”

However, both Sophos and Marshalthink some buyers recognise stockspam for what it is, but act on it any-way.“We've seen smart traders whounderstand there is a scam going on,but if you get in fast enough and getout before the whole thing crashes,you've made money,” says Macnair.

Embedded imagesHigh-quality stock spam has been get-ting through by using embedded im-ages — lots of them.When looking at asequence of apparently the same email(as shown), the background colourmay alter, pixels of "noise" change loca-tion or the font may switch.This meansan automated scan for previously-blocked images will fail, although bothSophos and Marshal say they can copewith this, in Marshal's case through op-tical character recognition.

“Sometimes this backfires on thespammers,” says Graham Cluley, seniortechnology consultant at Sophos, ofthe attempts to tweak the images.“Wesee 'uncanned' broken spam, whereall you see is static.”

Another difficulty for blocking it isthat stock spam does not requirelinks, which removes the possibility

of blacklisting by URL. Cluley saysthat this actually helps Sophos, as itdoes not rely on this technique.

Such campaigns tend to be fairlyshort-lived.Böhme and Holz found thatthe longest campaign in their 16months of data was 77 days,but accord-ing to Macnair, these usually last a fewweeks at most:“To be effective, it re-quires a high take-up in a very shortspace of time.”

Trust eroded Security expert Marcus Ranum, whoamong other things invented theproxy firewall, believes that stockspam will lose its effectiveness quiterapidly – but this will happenthrough an erosion of trust in email.“That's neither a good thing nor a badthing – but as a long-time user ofemail I find it a bit sad,” he writes inan e-mailed response to questions.

Ranum says that when he first usedemail in the mid-1980s, users calledeach other to check an email had ar-rived, due to the unreliable routing sys-tems: now, users again call to check re-ceipt because of spam filtering.“ 'We'made this amazing system and it roseto a pinnacle of awesome functionality— and now we're right back wherewe started thanks to spammers, con-artists, stock pimps, etc,”he writes.

“If anything, the stockspam problemis getting worse,” says Cluley. He saysthe technique could be developed fur-ther, such as through targeting users in-terested in a certain subject with stockspam about companies in that field, or

“'We' made thisamazing system

[email] and it rose to a pinnacle

of awesome functionality - andnow we're rightback where westarted thanks to spammers,

con-artists, stockpimps, etc”

Share price graphs for Goldmark Industries, July and August 2006

in

si

gh

t13

Info

security To

day

September/O

ctober 2006

through using voice over IP to extendfake telephone messages purporting tobe hot stock tips left on the wrongvoicemail. Cluley adds that this “wrongaddress” technique has already beenused in email stock spam.

Stock spam still viableA Russian price list recently released bySophos,which suggests one group of

spammers charges $50 to hit a millionemail addresses in any country, showswhy even if the vast majority of stockspam is blocked or ignored it is stillcommercially viable.Although a regula-tor such as the SEC could issue warn-ings that a particular firm was being at-tacked, this could damage the companyunfairly - and could lead to ransom de-mands from stock spammers - or itcould be counterproductive,with sometraders watching for firms which couldbe bought for a quick increase. Instead,the SEC and other regulators offergeneric advice (http://www.sec.gov/in-vestor/pubs/cyberfraud.htm).

However, those generating stockspam are not above the law - and nei-ther are the target firms, if they are ac-cused of complicity.On 17 August, theSEC charged Jeffery Stone and JanetteDiller Stone with making more than $1million by orchestrating a fraud schemeto inflate the price of San Francisco-based WebSky using stock spam.

The SEC also brought charges againstWebSky and its chief executiveDouglas Haffer,“for selling WebSkyshares in a subsequent transaction toan entity controlled by Stone and Dillerwithout registering the transaction or

securing an exemption from registra-tion”.WebSky and Haffer agreed to set-tle the action without admitting ordenying the allegations, by returningthe $35,000 paid for the shares, a per-manent injunction against future viola-tions of registration provisions in feder-al securities laws, and a $25,000 civilpenalty paid by Haffer.•References*Böhme, Rainer and Holz, Thorsten,"The Effect of Stock Spam on FinancialMarkets" (April 2006). Seehttp://ssrn.com/abstract=897431

**Frieder, Laura and Zittrain,Jonathan, "Spam Works: Evidence fromStock Touts and Corresponding MarketActivity" (July 25, 2006). See http://ss-rn.com/abstract=920553

SEC action against Stones: http://www.sec.gov/litigation/litreleases/2006/lr19805.htm

Collection of stockspam: http://world-widespam.info/stock/

© SA Mathieson 2006.

SA Mathieson writes about IT for titlesincluding the Guardian and HealthService Journal.

Goldmark Industries*

The experience of Goldmark Industries — which made up 18% of all the stock spam received in the Infosecurity Todaysample — seems fairly typical. Its stock was priced below $5 for several weeks before the campaign appears to have startedon 6 July. On that day, volumes of stock traded went from 500 the day before to 38,600, the price peaked at $7.30 and closedat $6.25. On 12 July, which saw 75,900 shares traded, the price peaked at $9.15 and closed at $8.50, and it peaked at $8.90again on July 26. But after that, the price gradually moved downwards.

Several of the emails quoted sections of genuine Goldmark press releases: at the start of July, the firm announced a change of direction towardship-hop and urban music, and has made supporting announcement on this since. Furthermore, the current prices quoted in the emails were usu-ally correct - it's just that the price expectations were usually not.

On Monday 17 July, one email quoted Goldmark's current price as $7.50 - it had actually closed the previous Friday below $7 - with a"Most Probable Target Price" of $8, which was exceeded eight days later. But on 24 July, another correctly quoting the price as $5.60 andmentioned a "Short Term Target Price" of $12, the same target price quoted in the emails reproduced here from 25 and 26 July, a levelwhich the price never approached.

On Monday 31 July, the current price was again correctly quoted at $5, with no target price mentioned, although the email did say "GetGDKI First Thing Today, This Is Going To Explode!". It rose above $7 on 2 August, but then drifted downwards. After having appeared instock spam almost every day previously, Goldmark vanished from the in-box until 21 August, when its current price was quoted as $4.60with a "5 day expected" price of $7.90. On Friday 25 August, the stock opened at $4.05.*NB: Infosecurity Today would like to make it clear that Goldmark issued a press release disowning the spam.

Marcus Ranum: time to fold the cardson email as a communication tool?