MP3 pump-and-dump spam targets inboxes

Experts today said the new MP3 spam tactic is creative, but it seems to be a natural progression following runs of image, PDF and Excel junk mail earlier this year.

Anti-spam outfits reported Storm Worm-driven MP3 spam runs of about 10,000 per hour, accounting for roughly 7 to 10 percent of all unwanted mail in the past 18 hours.

"It was almost expected in the natural order of spam," Paul Wood, a senior researcher for MessageLabs, told SCMagazineUS.com today. "They're just looking for the next big thing, and they've probably found it."

In most cases, the junk mail arrives without text in the body or subject line, and includes an MP3 attachment that employs social engineering to appear like a trusted file. Depending on the message, the file name might be "bspears," "smashingpumpkins," "weddingsong" or "coolringtone."

In actuality, the files contain a recorded 30-second synthetic voice message from a woman with a European accent who tries to persuade listeners to purchase stock in Exit Only Inc., which does business as Text4Cars.com.

The Santa Monica, Calif.-based company, whose customers mostly live in Canada, is a thinly-traded stock that is listed as EXTO on the Pink Sheets. This type of business is commonly used in pump-and-dump scams, where even small volumes can move a stock several percentage points.

Text4Cars.com tries to match car buyers and sellers through text messaging, CEO David Dion told SCMagazineUS.com today. He said he runs a legitimate company and is not trying to get rich quick off a spam scam.

"Why someone is targeting me, I have no idea," he said. "I wish they'd leave my company alone."

Dion said he was told by computer specialists he hired that the attack originated in St. Petersburg, Russia but was largely being hosted on U.S. computers that had been compromised by the Storm Worm virus.

But he said the scam is having little success, considering that as of 2 p.m. today, only 100 volumes had been traded. Dion said he is confident he can track down the culprits.

"I have the shareholder list," he said. "Obviously, if someone who has a position in my stock and wanted it to go up, that person is going to have to get rid of it eventually. If I find these people, I'm going to take whatever legal action I can take."

Dion's predicament is not uncommon for lightly traded companies, and it could lead to negative publicity. In March, the Securities and Exchange Commission (SEC) halted trading on the shares of 35 companies, a notable action considering the Pink Sheets have historically had little regulatory oversight.

The new MP3 spam run has been able to circumvent filters because most solutions have not been tweaked to block these new, sophisticated techniques.

"The technology wasn't developed with that in mind," David Vella, director of product management for GFI, told SCMagazineUS.com today. "It was always text spam. It was only this year when we started seeing attachments."

The spammers have varied their file sizes – on average 85 kilobytes – and have randomized the sound quality of the recordings to avoid detection, researchers at Commtouch said. The attachments do not contain any malware.

Organizations are advised to block MP3 attachments.

"How many companies do you know that use MP3 files for business use?" Vella said.

As an alternative, organizations can contact their internet service provider and demand they block the spam before it reaches the gateway, Wood said.

In the meantime, Dion said he has contacted the appropriate authorities, including the SEC, and is trying to stay optimistic.

"This doesn't look good for us, but the company still will go on," he said. "The business has gotten a lot of exposure."