IT Security Blog

Stock Pump and Dump scams currently account for about 20% of the spam email that we see in the MX Logic Threat Center. Most of it is image based (spam that consists mostly of a single image as the advertisement instead of plain text or using HTML tricks to piece text together).

How does a "pump and dump" scam work?

Typically, a stock is chosen (in many cases an over the counter stock) which is trading for only a few pennies. This way the scammer can purchase many shares of the targetted stock with only a small investment. These stocks typically also trade in low volumes such that easy manipulation of the stock price is possible.

This is where the scam begins.

Once the scammer has purchased some of the target company's stock, they can slowly manipulate the price based on the amount that they purchase. They then send out blast spam emails claiming the stock is "ready to explode" or "will gain 400% over the next two weeks" in an effort to lure potential victims. This is the "pump" and this cycle may repeat several times until the scammer is satisfied with their return at which point they "dump" their holdings and the stock price plummets leaving his victims holding the bag. On average the pump and dump scammer makes about 5.75% per scam and the victims lose about 5.5%.

There are several other scenarios to the pump and dump scam, but this is the most common and easiest to explain.

The other innocent victim aside from the people who thought they were going to make a great deal on this stock tip they got is the company who was targetted. In many cases the company has no idea that they were targetted for a pump and dump scam and also in some cases the stock price after the scam ends up lower than it was before the scam.

So, what is being done about this? The SEC is in the process of examining brokerage firms to ensure that they have adequate technology and staff training to prevent fraud, but in many cases by the time the fraud is detected it is too late. Fraud cost brokerage firm E*Trade approximately $18M in the third quarter of 2006 alone!

Obviously, there is still a lot more to be done. Few lawsuits have actually been filed to date. This is largely because scammers have gotten so good at staying hidden that it is difficult to track them down. Although some have been prosecuted, it is still barely making a dent in the overall fraud economy.

The key takeaway from all of this is to never take investment advice from anonymous or unsolicited email. Do your own research and ignore the noise of "Get Rich Quick" schemes. As the addage goes, "If it sounds too good to be true, it probably is."

I'll issue a standard disclaimer before I dive in. Although these items may be considered best practice they are in no way a silver bullet to keeping your PC from getting infected with malware. If they are followed and if you remain diligent, you can greatly decrease your risk.

Now that we have that out of the way, CERT has 9 tasks that they recommend in their article. I'll list them out one by one followed by a short blurb after each.

Task 1 - Install and Use Anti-Virus Programs. I'll add onto this that it is not enough to simply install and use the program, but rather that it must also be kept as up to date as possible. Ensure that you are downloading updates regularly and that your subscription is up to date. Your anti-virus program is only as effective as the last update it downloaded.

Task 2 - Keep your System Patched. This includes not only your operating system itself, but security updates for all of the applications that are installed on it. Virtually any installed software application has the propensity for a vulnerability, and that vulnerability is the open door for a hacker to inject malware onto your PC.

Task 3 - Use Care When Reading Email With Attachments. This is something that we have been preaching for quite some time given that we are in the email defense space. The utmost of care needs to be given when opening any email attachment whether it comes from someone that you know or not. If an attachment arrives from someone you know and you weren't expecting its' arrival, contact them and make sure that it is truly from them. Of course, never open attachments from people that you don't know.

Task 4 - Install and Use a Firewall Program. Since the release of Windows XP Service Pack 2 a software firewall has been included in as part of the operating system. Make sure that any software firewall that you have installed, however is inspecting both incoming and outgoing traffic from your PC. It is one thing to keep intruders from getting to your PC, but should it become infected your firewall needs to be able to stop malicious outbound traffic from either downloading more malware or communicating with the PC that is controlling it.

Task 5 - Make Backups of Important Files and Folders. Make sure that documents, spreadsheets, reports, pictures, articles, and anything else that you have written or otherwise has value to you is backed up outside of your PC. This can be either on an external USB drive or even on an online file storage system. This way if your PC does get infected with malware and deletes files from your PC or even if your PC has a hardware failure like the loss of a disk drive you won't lose work that is important to you or that you wouldn't want to redo.

Task 6 - Use Strong Passwords. A good strong password generally has a mixture of upper and lower case letters along with numbers and some form of punctuation. A common method of password cracking is called brute force where the hacker attempts every combination of characters in order to find out what your password is. The more complex your password is the longer it will take the hacker to figure it out. There are lots of ways around passwords, however since passwords are generally meant to only protect users from other users. If a criminal wants to get your password, they have plenty of methods to try to get at it whether it be keyloggers, sniffers, or other forms of malware. Although strong passwords are a good practice to follow, it isn't going to protect you from a criminal.

Task 7 - Use Care When Downloading and Installing Programs. This is especially true if you frequently download and install applications that you found online or obtained via a peer to peer network. The same quality standards do not exist online as in other regulated industries. As a result, the new screen saver that you just downloaded which shows pictures of your favorite sports team's stars may actually be a front for a backdoor that could be a prime malware injection point for a hacker. Always be sure you understand what you are installing onto your computer before you run the setup program.

Task 8 - Install and Use a Hardware Firewall. The CERT article sums this up well where they said "Complement your firewall program by installing a hardware firewall. Together, these two firewalls stand between your home computer and the Internet." This is a good practice to follow. Everyone should do it.

Task 9 - Install and Use a File Encryption Program and Access Controls. Access Controls are especially important if you share a computer with your children. Kids will browse the internet, download, click, and install anything that they can get their hands on with no eye for security (Adults aren't off the hook for this either...they do it too!). As a result, it is important that access controls be implemented which prevent or at least limit this type of behavior to mitigate as much risk as possible. Encryption of your important files will keep the contents of the documents that you want to keep secret reasonably hidden from prying eyes.

Although these practices are not going to keep you, your PC, or your personal information protected with 100% certainty, they provide a solid roadmap to follow such that you can keep yourself safe from most computer related threats.

Technology is only part of the solution and will only provide so much protection. The biggest weapon in the fight against hackers and malware is user education and diligence. Without arming ourselves, our users, and our customers with the knowledge that they need in order to prevent themselves from online crime the risk level will always remain very high.

Be not alarmed.

This is not a new method by which hackers are trying to steal your personal information. It is essentially a new name for an age old tactic which predates current technologies. Live Phishing is the "phishing" for someone's personally identifiable information via the telephone.

Here is an example: You get a telephone call from someone purporting to be from your local bank. They convince you to start giving up some of your personal information such as date of birth, mother's maiden name, make of your first car, and maybe even your social security number if they feel they have earned your trust. The person that you have just given your info to now has whatever they need to call your bank and start draining your accounts.

Financial institutions have been making many strides in an attempt to protect you when you login to your accounts via their web site. However, passwords, two-factor authentication, and on-screen keyboards can only provide so much protection. Technology can only provide so much ability to protect users from themselves. More important is that user education and user diligence are also needed to backup the changes in technology.