March 9th, 2007
How lucrative is pump-and-dump spam?
Are pump-and-dump spammers really making money from hyping penny stocks in e-mails? Paul Moriarty has the answer and it's an eyebrow-raising sight.
Over the last month, Moriarty, director of product development for Internet Content Security at Trend Micro, has been running a virtual portfolio of selling short on stocks found during spam runs. After 22 transactions in a five-week period, he has earned a whopping $25,610.
Short selling (shorting) a stock is the act of profiting from a stock price going down. A short seller will typically borrow a security and sell it, expecting that it will decrease in value so that they can buy it back at a lower price and keep the difference.
During Moriarty's research, he used data from pump-and-dump e-mails flooding into Trend Micro's spam honeypots. "As soon as I see activity on a particular stock, I'll short that and set a limit to cover after I've made 10%. In just over five weeks, I've turned a 25.6 percent profit on a $100,000 virtual portfolio. This is exactly what these spammers are doing. It's risky business but it's easy money," Moriarty said in an interview.
"I made money on every transaction," he added.
On the other hand, if he were to have fallen victim to "hot stock" e-mail tips and invested and held, Moriarty's portfolio would have been down 27.6 percent.
Moriarty shared his research with me after the SEC's announcement yesterday that it had suspended trading in 35 companies whose shares were promoted in spam e-mails. (See more from Larry Dignan)
Although the SEC move is to be applauded, Moriarty sees it as a double-edged sword that creates an even bigger problem.
"Pretty soon, you'll start seeing extortion schemes. The spammers will simply call up a company and demand money on the threat of a pump-and-dump spam run. Think about it, a spammer now has the power to control which stocks are suspended by the SEC," Moriarty warned.
"Pretend I'm a bad guy and you're the CEO of XYZ company. I can call you up and say, 'hey, wire $50,000 to my eGold account or I'll run a pump-and-dump scheme to halt trading on your stock. This is the next step," he added.
Botnet operators controlling billions of zombie machines commonly use extortion tactics against online gambling sites and other companies, threatening to launch crippling denial-of-service attacks if random demands aren't met. In Moriarty's mind, denying a company the ability to trade on the stock market isn't any different.
"I'll bet you a dollar to a donut that we'll see pump-and-dump extortion schemes, playing on the SEC move. They have the power to use spam to halt stock trading. They already have access to the botnet to do it so it's free and easy to them.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
