Just when you thought it was safe to receive and open Adobe Acrobat PDF attachments—a new form of image spam arrives on the scene. By now, just about everyone has received this familiar variety of junk mail, where the spam message is embedded in a .GIF or .JPG rather than text.

In spite of a slight decline in image spam this winter and spring, researchers at McAfee Avert®: Labs are warning us that the cyber criminals are back in full force with a new approach. Clever miscreants are now embedding spam messages into highly professional-looking, well-designed PDF attachments, traditionally a relatively safe vehicle for transmitting legitimate business documents.

It’s a new take on the "pump-and-dump" stock schemes, a high-growth criminal industry and a remarkable piece of social and engineering and market manipulation. Just a few weeks ago, German email users reported received unsolicited messages containing an attached PDF file named "sexy_ganja_report.pdf", which encouraged recipients to invest in a company called Talktech Media on the promise that they would receive a portion of the profits. According to the IT Compliance Institute, this particular campaign “may have set a record . . . with the transmission of five billion copies of the same email, amounting to about nine percent of all spam sent that day worldwide.” (SOURCE: "Massive pump-and-dump campaign sets record", IT Compliance Institute, http://www.itcinstitute.com/display.aspx?id=3752)

Spammers have turned to this technique because most anti-spam solutions don’t scan PDFs. Usually, the PDF files are embedded in spam emails with randomly generated subject lines, sender names, and a blank message body. It is believed that the Talktech Media stock spam was sent from Stration-infected computers. This attack was very similar to a recent W32/Stration worm mass mailing, which also contained a number of PDF files. Virus- and Trojan-infected botnet PCs are commonly used to send pump-and-dump scams and other types of image spam because the spammer can send a large amounts of mail without paying for or worrying about the bandwidth required to send millions of spam messages with relatively large attachments.

What’s the rationale behind pump-and-dump stock schemes? The motive is profit, and spammers play on the public’s desire to get rich quick. Spammers buy low-cost stocks and send out image spam or a spam PDF displaying a real stock market symbol in the hopes that gullible people will buy the stock and hike up the share price. Inevitably, a certain percentage of recipients fall for the scheme and purchase the stock in the hopes of getting a healthy return on their investment. When the share price shoots up, spammers sell off their stock and take the money and run. According to a recent study conducted by researchers at Oxford and Purdue universities, spammers have realized a 5 percent to 6 percent return in a matter of days. The study points out that recipients who purchased the penny stock usually lost about 7 percent of the money they invested.

Aside from the financial and personal toll of image spam, it also takes a toll on email servers and productivity. Image spam is typically three to four times the file size of text-based spam, so more server space is needed to store the messages, and bandwidth is reduced. And image spam messages with PDFs are even more bloated, so this is likely to exacerbate the problem.
Example of a pump-and-dump PDF document that looks like a legitimate investment analyst report. (SOURCE: “Hackers Launch PDF Spam Campaign”by Fiona Raisbeck, Secure Computing Magazine, June 28, 2007, http://scmagazine.com/uk/news/article/667858/hackers-launch-pdf-spam-campaign/)

Pump-and-dump spam has gotten so out of hand that the U.S. Securities and Exchange Commission (SEC) suspended trading in securities of 35 companies that had been the subject of stock spam campaigns from September 2006 through January 2007. The suspension lasted ten days and represented the most significant action ever taken by the SEC against stock spam campaigns. This decision was part of the "Operation Spamalot" initiative, which aims to protect investors from spam. The SEC is also aggressively going after stock spam profiteers. Recently, the SEC froze $3 million belonging to an Eastern European cyber crime ring involved in an online stock manipulation case. Such high-profile, widely publicized actions are sure to heighten awareness of the risks of investing in these scams.

The appearance of PDF-based image spam was predicted by McAfee Avert Labs in the article “Email Spam Plague Persists”, published in the latest SAGE report, as PDF files are easier to automate than other document formats. The prediction appears to be holding true. Recently, PDF spam has spread from its initial pump-and-dump stock campaigns to other types of image spam, such as fake pharmaceuticals. With GIF-based image spam on the decline, we expect spammers will continue to try similar methods of sending image-based spam.

The current PDF spam campaigns are detected by McAfee anti-spam solutions. Anti-spam vendors are hard at work exploring additional techniques for scanning PDF attachments to try to anticipate what spammers may try next. In the meantime, you can take some countermeasures. First and foremost, exercise common sense. The usual advice of not opening attachments or clicking on links from unknown senders still applies. Also, read security blogs to stay abreast of the latest threats, so that you can develop a critical eye. It doesn’t hurt to cultivate a healthy dose of scepticism, so that you don’t fall for these schemes. And, of course, implement a solution that takes a holistic approach to spam detection backed by assiduous research. Anti-spam security software should include sender IP reputation, domain name reputation, and header checking to stem the influx of image spam into your servers and your inbox.