Could we be on the verge of seeing the end of that spam scourge known as the pump and dump scheme? You know the drill, an email arrives urging you to invest in some little known penny stock and beat the experts to the punch. Nice one son, get your own back on those greedy stock broker types, that will teach them. Or maybe not, after all why would anyone with real insider information about cheap stock that is about to go ballistic bother telling you, a complete stranger, about it? What’s more, why would they tell a few million complete strangers about it? Surely, if it were true, they would invest everything they have and retire happy and rich.

Yet thousands of people fall for such scams every week, which is why pump and dump spam has become such a big business. Organized crime has not overlooked this fact, and is thought to be behind much of the pump and dump spam that arrives in mailboxes every day. Reports suggest that the average return made by the spammer for a pump and dump operation is 5%, and not so funnily enough the average investment loss made by the mug punter who falls for it is also 5% within a couple of days and not counting the share trading fees.

It is not just the money that attracts the pump and dump spammer, but the relatively ease in getting away with it as well. Unlike just about every other type of spam scam, pump and dump requires no contact with the spammer or the company they are acting for, in order for that money to be made. All the spam is doing is suggesting you invest in a company, you go and use whichever means you like to broker the deal. It is spam at its purest, in many ways, pure advertising that is. The return is collected by the company being traded in, and the people behind them are usually hidden within a well constructed and complex web of offshore sham companies.

Which is why it was nice to be informed by my friend Graham Cluley, Senior Technology Consultant at Sophos that two men have been charged by the Texas Attorney General's Office with organized criminal activity and money laundering following an investigation by the Securities and Exchange Commission into the illegal use of pump-and-dump spam emails to artificially inflate the share prices of at least 13 penny stocks between May 2005 and December 2006.

The men are alleged to have orchestrated a series of pump and dump spam scams using a zombie network for distribution at an estimated cost of around $4.6 million to the unsuspecting mug investors.

"Unfortunately for the SEC, pump-and-dump spam campaigns don't seem likely to go away any time soon" warns Cluley "the use of compromised networks of computers to spread these illegal spam messages can result in quick fortunes for the scammers, and can have serious detrimental effects on the stock involved. But, it seems that these criminals were in such a rush to make their millions that they forget to pay any attention to which email addresses were being spammed and, in the end, this looks likely to be their downfall."

That said, earlier this year the Commission did suspend trading of some 35 companies which had been the subject of pump-and-dump emails. Which is certainly one way to attack the problem. Another is to use the technology we have available, which is what PineApp is doing by successfully blocking pump and dump spam using an advanced Recurrent Pattern Detection system that can detect new spam regardless of format. This is important with pump and dump because it likes the image spam route more than any other, especially by way of PDF at the moment. "Using PDFs is just the latest trick from aggressive image spammers" says Steve Cornish, UK sales and marketing director at PineApp. The PineApp Mail-SeCure appliance integrates five anti-virus engines - three signature based, one heuristic based and one zero-hour detection mechanism - along with eleven anti-spam engines. These include RPD along with Zombie detection, IP reputation, image spam defense, heuristic and Bayesian engines. When Mail-SeCure's advanced RPD engine is activated all incoming mail undergoes statistical and pattern detection analysis and is then blocked or tagged as spam.

All of which is good news for us and bad news for the spammers. Not only is technology catching up with them but so is the law. Perhaps soon we will be able to say to spam – pumped and dumped…

About the Author

A freelance technology journalist for 30 years, I have been a Contributing Editor at PC Pro (one of the best selling computer magazines in the UK) for most of them. As well as currently contributing to, The Times and Sunday Times via Raconteur Special Reports, SC Magazine UK, Digital Health, IT Pro and Infosecurity Magazine, I am also something of a prolific author. My last book, Being Virtual: Who You Really are Online, which was published in 2008 as part of the Science Museum TechKnow Series by John Wiley & Sons. I am also the only three times winner (2006, 2008, 2010) of the BT Information Security Journalist of the Year title, and was humbled to be presented with the ‘Enigma Award’ for a ‘lifetime contribution to information security journalism’ in 2011 despite my life being far from over...

Member Avatar

There have been techniques available to combat spam for a while. For example, there's SenderID and SPF which use DNS records and there is also DomainKeys and DKIM which use S/MIME & digital signatures to authenticate users.

Unfortunately, email is well-established, not controlled by any one group/person, and as a result is hard to change. For one, getting everybody to agree on a single protocol is difficult in itself.

There are mechanisms available to deal with the majority of current spam, but there is no end in sight for SPAM if we can't all agree on a protocol enforcing authentication, non-repudiation, confidentiality...etc.