Slashdot Mirror

← Back to Stories (view on slashdot.org)

Deconstructing a Pump-and-Dump Spam Botnet

Posted by Zonk on from the gaah-scary-graphics dept.

Behind the Front writes "eWeek has teamed up with Joe Stewart, a senior security researcher at SecureWorks in Atlanta, to show the inner working of a massive botnet that is responsible for the recent surge of 'pump and dump' spam. It's a detailed picture of how these sleazy operations work and why they're so hard to shut down. Sobering numbers: 70,000 infected machines capable of pumping out a billion messages a day, virtually all of them for penis enlargement and stock scams. Excellent graphics, too, including one chart that shows that Windows XP Service Pack 2 is hosting nearly half the attacked machines."

9 of 382 comments (clear)

  1. I'm glad I run my own mail server by zitch · · Score: 3, Informative

    And implemented greylisting on it. Cut out almost %100 of the spam I have been receiving (Was up to 50 emails a day, now I think only one has gone through since I installed postgrey on my mail server in 1.5 months!). Unfortunately, this is easy to get around, so it should only be a matter of time till that is worked around and becomes useless in the spam fight. By that time, hopefully another anti-spam method comes up...

  2. Re:thats okay, but how to detect this infection? by Bastian · · Score: 2, Informative

    Get a virus scanner, silly. I believe this trojan is detected by all of them.

  3. Re:Filter by tinkerghost · · Score: 2, Informative

    Check your TOS with your ISP again. Many of them have prohibitions against running servers off of your dynamic IP address. Most of that is holdover from having a 'server' defined you as a business user, but it's still there. I know that RCN shut down Port 80 inbound following Code red because there was more virus traffic than actual requests - it's staggering how many people are running IIS without knowing it. At one point they also blocked all port 25 traffic not directed to the official network mail servers [excluding static IP customers]. There were craploads of complaints, but the right to do so was clearly marked in the TOS.

  4. Re:how effective is it? by spaceyhackerlady · · Score: 2, Informative

    Just to reiterate what these scum are doing:

    1. Buy some really cheap stock at a really cheap price.
    2. Hype it to victims.
    3. Sell it to victims at inflated prices. Pocket the profit.
    4. Victims are now stuck with a worthless stock that they can only sell at a large loss.

    They usually work for the pump and dumper. Everybody else gets screwed. That's why it's a scam.

    The companies are real, and you can look them up on NASDAQ or Pink Sheets. I've looked a few of them up, and they all show an enormous spike in trading, a big spike in price, then a rapid fall.

    While there are ways to make money on declining stock value ("short selling"), you can't do it with the stocks these filth are hyping.

    ...laura

  5. Re:nmap? by Cruise_WD · · Score: 2, Informative

    If you RTA, you'll find that they know because the Trojan itself logs which machines it's infecting, presumably because the people behind it like to know what's working and what isn't. Therefore this data is coming straight from the (trojan) horse's mouth...*badum bish*

    --
    [ cruise / casual-tempest.net / xenogamous.com / transference.org / quantam sufficit ]
  6. Re:how effective is it? by KokorHekkus · · Score: 2, Informative
    Do these pump and dump scams even work? If so, by what kind of margins?
    A previous article posted on Slashdot indicateda a return between 4.9% to 6% (per scam) when it works. See http://it.slashdot.org/article.pl?sid=06/08/25/182 1256
  7. Re:I'm just surprised that those spams still ... by pandaba · · Score: 2, Informative

    I was really curious about the success rate of a pump & dump scheme so I took a look into my spam folder recently. Starting on Wednesday, I received three emails advocating TORA.OB. So I started tracking that stock.

    Looking at the company's filings showed a rather pathetic operation with a miniscule amount of revenue. However, the volume on the company has skyrocketed in the past few days. Its gone from nearly no trading to 296,000 shares traded yesterday and 31,000 so far today. The price has shown a nice increase too, going from around 0.75 on Wednesday to 1.01 today, with it hitting highs around 1.10.

    Have to say I was surprised this spam worked. You don't have to be a financial expert to know this company is full of shit. Just reading the financials was rather amusing.

  8. Shorting won't work... by camusflage · · Score: 3, Informative

    No broker will allow you to short a pink sheet stock, which the overwhelming majority of pump and dump spam deals with.

    --
    The truth about Scientology, Xenu, and you: Operation Clambake
  9. Re:Filter by b0s0z0ku · · Score: 2, Informative
    If the first function was switched to a different port number (i.e. not 25) and made authenticated, then port 25 could be blocked by default for dial-up-style users without inconveniencing anyone.

    It's been done. Port 587 is used for non-secure client-to-server SMTP already. Some ISP's allow port 587 passthrough but block 25. Personally, I think that sucks, and I'll summarily dump any ISP that blocks 25, if only because I need access to port 25 for things like testing clients' servers sometimes.

    -b.