- Email: [email protected]
Hot stocks to your inbox
i n s i g h t
SA Mathieson
Hot stocks to your inbox Since the end of 2005, share-promoting spam has been cramming our email. Steven Mathieson investigates this phenomenon.
he medium may be new, but the technique is decades-old. Since the start of last year, spam promoting shares — stock spam — has grown from 0.8% of all junk email to 15% now, according to UK IT security firm Sophos. Ed Macnair, chief executive of email management company Marshal, says his firm has seen such spam for four years, but agrees it has exploded in volume over the last 12 months.
T
Those wanting to move a stock price for their own ends — usually to ‘pump and dump’, hyping a company so as to offload previously-purchases shares at a profit — have used telegrams, letters, telephone calls and newspaper columns to do so. Paul Baccas, spam researcher at Sophos Labs, describes one historic technique:“talking very loudly in bars and restaurants, saying ‘I'm going to put a million into this company’. It works”. Stock spam can work too, although it is a short-term investment, and not for the faint of heart.An academic working paper by Rainer Böhme and Thorsten Holz,* based on 7,606 stock spam messages on 111 companies with available stock-price data, reports an aggregated cumulative abnormal return on a spammed company's share-price of +1.7% on the day of the attack, with the effect dropping into negative territory on the fourth day afterwards. Infosecurity Today September/October 2006
Another such paper by Laura Frieder and Jonathan Zittrain,** based on 75,415 messages concerning 307 companies, found that those who respond to touting lose on average 5.25% in two days. However, the spammer buying a day in advance and selling after one day of touting makes an average of 4.9%. This finding supports the conclusion of Böhme and Holz, that ‘the business
model for stock spam actually works’. But as Frieder and Zittrain suggest, it only works for the spammers!
“We've seen smart traders who understand there is a scam going on, but if you get in fast enough and get out before the whole thing crashes, you've made money” Joshua Cyr (http://www.spamstocktracker.com/) has tracked a virtual portfolio containing 1,000 shares ‘purchased’ when he received stock spam for that company: from May 2005 to late August 2006, this portfolio had turned $71,000 into $24,000.A similar exercise by Marshal, starting early this year and tracking around 20 spammed stocks, turned $53,163 into $39,346.“In most cases we've seen, this has had a very damaging effect on the company's share price,” says Marshal's chief executive Ed Macnair. Neither the portfolios nor the academic papers factored in the often wide differences in purchase and sale prices experienced with lightly-traded stocks, making losses even greater. Our sample
Over five weeks in July and August, Infosecurity Today found 22 companies were mentioned in a small sample of just over 200 stock spam received. None have a primary listing on stock exchanges: 16 are traded through the Pink Sheets system, which tracks the prices of small unlisted stocks and the
other six are on the OTC Bulletin Board, which is regulated by the US Securities and Exchange Commission (SEC), and requires an intermediate level of financial reporting.The firms tracked by Böhme and Holz had a similar 2 to 1 split between two systems (Frieder and Zittrain looked only at Pink Sheets firms), although three of the 22 in our sample are also listed on the Frankfurt stock exchange. 16 of the firms are US-based, three Canadian with one each from China, Korea and Singapore. Marshall estimates that about 70% of stock spam ultimately originates from North America, although the use of botnets to forward such email clouds the issue. Macnair says that the growth of share trading in east Asian countries could increasingly make their companies targets. The companies appear to be small: of the five with market capitalization figures available through Nasdaq.com (all listed on the OTC Bulletin Board), four were worth between $6 to $29 million, with one, Quantum Energy rather larger
From the gilded age of Wall Street ‘These people used to send out tips to buy or sell a certain stock - hundreds of telegrams advising the instant purchase of a certain stock and hundreds recommending other customers to sell the same stock, on the old racing-tipster plan.’ (On a firm accepting bets on share movements in the first half-decade of the 20th century) ‘It has always seemed to me the height of damfoolishness to trade on tips... I sometimes think that tip-takers are like drunkards... It is not so much greed made blind by eagerness as it is hope bandaged by the unwillingness to do any thinking.’
Edwin Lefèvre, Reminiscences of a Stock Operator, 1923
10
i n s i g h
of blacklisting by URL. Cluley says that this actually helps Sophos, as it does not rely on this technique.
t
Such campaigns tend to be fairly short-lived. Böhme and Holz found that the longest campaign in their 16 months of data was 77 days, but according to Macnair, these usually last a few weeks at most:“To be effective, it requires a high take-up in a very short space of time.” Share price graphs for Goldmark Industries, July and August 2006
at $156m.The prices of smaller capitalization stocks take less effort to move, making them more vulnerable to a pump and dump campaign. Quantum Energy, Goldmark Industries, KMA Global Solutions, PetroSun Drilling
Four of the 22 firms made recent efforts to disassociate themselves from the stock spam, through issuing a press release. Nevada-based oil firm Quantum Energy stated on 8 August:“Under no circumstances has the Company or any person or group associated with the Company participated or acquiesced with this SPAM activity...This SPAM is a reprehensible activity carried out by unknown parties.”The others were US/Canadian entertainment firm Goldmark Industries, US electronic surveillance label maker KMA Global Solutions and US oilfield services startup PetroSun Drilling.All were approached for further comment, but none responded. Some stock spam emails use plausible names and subject lines such as “FWD: ticker watch” or “Trader alert”, but many do not — one title line read ‘marketing holmium thulium erbium’ and other spam indicators such chunks of irrelevant text and odd formatting, to confuse spam filters, are often present. Infosecurity Today September/October 2006
Just like the real thing!
However, the main content is often well-presented, aping the format of stock analyst reports — although the kind written by analysts under the combined impact of a dot com boom and six double espressos.“Could this be the next Exxon?” asks one of PetroSun Drilling, which opened in June 2005 and had net income to the
end of the year of $21,495. In the second half of 2005, ExxonMobil — the world's largest company by market capitalisation — had net income of $20.63 billion.A few even have disclaimers: one ends with ‘WARNING: You can lose all your money by investing in this stock.’ Sophos' Paul Baccus says the credibility of the emails is important.“The problem they have is that if they want to make money, they have to look legitimate,” he says.“You wouldn't trust a stockbroker who couldn't spell stock.” However, both Sophos and Marshal think some buyers recognise stock spam for what it is, but act on it anyway.“We've seen smart traders who understand there is a scam going on, but if you get in fast enough and get out before the whole thing crashes, you've made money,” says Macnair. Embedded images
High-quality stock spam has been getting through by using embedded images — lots of them.When looking at a sequence of apparently the same email (as shown), the background colour may alter, pixels of "noise" change location or the font may switch.This means an automated scan for previouslyblocked images will fail, although both Sophos and Marshal say they can cope with this, in Marshal's case through optical character recognition. “Sometimes this backfires on the spammers,” says Graham Cluley, senior technology consultant at Sophos, of the attempts to tweak the images.“We see 'uncanned' broken spam, where all you see is static.” Another difficulty for blocking it is that stock spam does not require links, which removes the possibility
Trust eroded
Security expert Marcus Ranum, who among other things invented the proxy firewall, believes that stock spam will lose its effectiveness quite rapidly – but this will happen through an erosion of trust in email. “That's neither a good thing nor a bad thing – but as a long-time user of email I find it a bit sad,” he writes in an e-mailed response to questions.
“'We' made this amazing system [email] and it rose to a pinnacle of awesome functionality - and now we're right back where we started thanks to spammers, con-artists, stock pimps, etc” Ranum says that when he first used email in the mid-1980s, users called each other to check an email had arrived, due to the unreliable routing systems: now, users again call to check receipt because of spam filtering.“ 'We' made this amazing system and it rose to a pinnacle of awesome functionality — and now we're right back where we started thanks to spammers, conartists, stock pimps, etc,” he writes. “If anything, the stockspam problem is getting worse,” says Cluley. He says the technique could be developed further, such as through targeting users interested in a certain subject with stock spam about companies in that field, or
12
i n s i g h t
Goldmark Industries* The experience of Goldmark Industries — which made up 18% of all the stock spam received in the Infosecurity Today sample — seems fairly typical. Its stock was priced below $5 for several weeks before the campaign appears to have started on 6 July. On that day, volumes of stock traded went from 500 the day before to 38,600, the price peaked at $7.30 and closed at $6.25. On 12 July, which saw 75,900 shares traded, the price peaked at $9.15 and closed at $8.50, and it peaked at $8.90 again on July 26. But after that, the price gradually moved downwards. Several of the emails quoted sections of genuine Goldmark press releases: at the start of July, the firm announced a change of direction towards hip-hop and urban music, and has made supporting announcement on this since. Furthermore, the current prices quoted in the emails were usually correct - it's just that the price expectations were usually not. On Monday 17 July, one email quoted Goldmark's current price as $7.50 - it had actually closed the previous Friday below $7 - with a "Most Probable Target Price" of $8, which was exceeded eight days later. But on 24 July, another correctly quoting the price as $5.60 and mentioned a "Short Term Target Price" of $12, the same target price quoted in the emails reproduced here from 25 and 26 July, a level which the price never approached. On Monday 31 July, the current price was again correctly quoted at $5, with no target price mentioned, although the email did say "Get GDKI First Thing Today, This Is Going To Explode!". It rose above $7 on 2 August, but then drifted downwards. After having appeared in stock spam almost every day previously, Goldmark vanished from the in-box until 21 August, when its current price was quoted as $4.60 with a "5 day expected" price of $7.90. On Friday 25 August, the stock opened at $4.05. *NB: Infosecurity Today would like to make it clear that Goldmark issued a press release disowning the spam.
through using voice over IP to extend fake telephone messages purporting to be hot stock tips left on the wrong voicemail. Cluley adds that this “wrong address” technique has already been used in email stock spam. Stock spam still viable
A Russian price list recently released by Sophos, which suggests one group of
spammers charges $50 to hit a million email addresses in any country, shows why even if the vast majority of stock spam is blocked or ignored it is still commercially viable.Although a regulator such as the SEC could issue warnings that a particular firm was being attacked, this could damage the company unfairly - and could lead to ransom demands from stock spammers - or it could be counterproductive, with some traders watching for firms which could be bought for a quick increase. Instead, the SEC and other regulators offer generic advice (http://www.sec.gov/investor/pubs/cyberfraud.htm).
Marcus Ranum: time to fold the cards on email as a communication tool?
The SEC also brought charges against WebSky and its chief executive Douglas Haffer,“for selling WebSky shares in a subsequent transaction to an entity controlled by Stone and Diller without registering the transaction or
•
References *Böhme, Rainer and Holz, Thorsten, "The Effect of Stock Spam on Financial Markets" (April 2006). See http://ssrn.com/abstract=897431 **Frieder, Laura and Zittrain, Jonathan, "Spam Works: Evidence from Stock Touts and Corresponding Market Activity" (July 25, 2006). See http://ssrn.com/abstract=920553 SEC action against Stones: http://www. sec.gov/litigation/litreleases/2006/lr19 805.htm Collection of stockspam: http://worldwidespam.info/stock/
© SA Mathieson 2006. SA Mathieson writes about IT for titles including the Guardian and Health Service Journal.
Infosecurity Today September/October 2006
However, those generating stock spam are not above the law - and neither are the target firms, if they are accused of complicity. On 17 August, the SEC charged Jeffery Stone and Janette Diller Stone with making more than $1 million by orchestrating a fraud scheme to inflate the price of San Franciscobased WebSky using stock spam.
securing an exemption from registration”.WebSky and Haffer agreed to settle the action without admitting or denying the allegations, by returning the $35,000 paid for the shares, a permanent injunction against future violations of registration provisions in federal securities laws, and a $25,000 civil penalty paid by Haffer.
13
SA Mathieson
Hot stocks to your inbox Since the end of 2005, share-promoting spam has been cramming our email. Steven Mathieson investigates this phenomenon.
he medium may be new, but the technique is decades-old. Since the start of last year, spam promoting shares — stock spam — has grown from 0.8% of all junk email to 15% now, according to UK IT security firm Sophos. Ed Macnair, chief executive of email management company Marshal, says his firm has seen such spam for four years, but agrees it has exploded in volume over the last 12 months.
T
Those wanting to move a stock price for their own ends — usually to ‘pump and dump’, hyping a company so as to offload previously-purchases shares at a profit — have used telegrams, letters, telephone calls and newspaper columns to do so. Paul Baccas, spam researcher at Sophos Labs, describes one historic technique:“talking very loudly in bars and restaurants, saying ‘I'm going to put a million into this company’. It works”. Stock spam can work too, although it is a short-term investment, and not for the faint of heart.An academic working paper by Rainer Böhme and Thorsten Holz,* based on 7,606 stock spam messages on 111 companies with available stock-price data, reports an aggregated cumulative abnormal return on a spammed company's share-price of +1.7% on the day of the attack, with the effect dropping into negative territory on the fourth day afterwards. Infosecurity Today September/October 2006
Another such paper by Laura Frieder and Jonathan Zittrain,** based on 75,415 messages concerning 307 companies, found that those who respond to touting lose on average 5.25% in two days. However, the spammer buying a day in advance and selling after one day of touting makes an average of 4.9%. This finding supports the conclusion of Böhme and Holz, that ‘the business
model for stock spam actually works’. But as Frieder and Zittrain suggest, it only works for the spammers!
“We've seen smart traders who understand there is a scam going on, but if you get in fast enough and get out before the whole thing crashes, you've made money” Joshua Cyr (http://www.spamstocktracker.com/) has tracked a virtual portfolio containing 1,000 shares ‘purchased’ when he received stock spam for that company: from May 2005 to late August 2006, this portfolio had turned $71,000 into $24,000.A similar exercise by Marshal, starting early this year and tracking around 20 spammed stocks, turned $53,163 into $39,346.“In most cases we've seen, this has had a very damaging effect on the company's share price,” says Marshal's chief executive Ed Macnair. Neither the portfolios nor the academic papers factored in the often wide differences in purchase and sale prices experienced with lightly-traded stocks, making losses even greater. Our sample
Over five weeks in July and August, Infosecurity Today found 22 companies were mentioned in a small sample of just over 200 stock spam received. None have a primary listing on stock exchanges: 16 are traded through the Pink Sheets system, which tracks the prices of small unlisted stocks and the
other six are on the OTC Bulletin Board, which is regulated by the US Securities and Exchange Commission (SEC), and requires an intermediate level of financial reporting.The firms tracked by Böhme and Holz had a similar 2 to 1 split between two systems (Frieder and Zittrain looked only at Pink Sheets firms), although three of the 22 in our sample are also listed on the Frankfurt stock exchange. 16 of the firms are US-based, three Canadian with one each from China, Korea and Singapore. Marshall estimates that about 70% of stock spam ultimately originates from North America, although the use of botnets to forward such email clouds the issue. Macnair says that the growth of share trading in east Asian countries could increasingly make their companies targets. The companies appear to be small: of the five with market capitalization figures available through Nasdaq.com (all listed on the OTC Bulletin Board), four were worth between $6 to $29 million, with one, Quantum Energy rather larger
From the gilded age of Wall Street ‘These people used to send out tips to buy or sell a certain stock - hundreds of telegrams advising the instant purchase of a certain stock and hundreds recommending other customers to sell the same stock, on the old racing-tipster plan.’ (On a firm accepting bets on share movements in the first half-decade of the 20th century) ‘It has always seemed to me the height of damfoolishness to trade on tips... I sometimes think that tip-takers are like drunkards... It is not so much greed made blind by eagerness as it is hope bandaged by the unwillingness to do any thinking.’
Edwin Lefèvre, Reminiscences of a Stock Operator, 1923
10
i n s i g h
of blacklisting by URL. Cluley says that this actually helps Sophos, as it does not rely on this technique.
t
Such campaigns tend to be fairly short-lived. Böhme and Holz found that the longest campaign in their 16 months of data was 77 days, but according to Macnair, these usually last a few weeks at most:“To be effective, it requires a high take-up in a very short space of time.” Share price graphs for Goldmark Industries, July and August 2006
at $156m.The prices of smaller capitalization stocks take less effort to move, making them more vulnerable to a pump and dump campaign. Quantum Energy, Goldmark Industries, KMA Global Solutions, PetroSun Drilling
Four of the 22 firms made recent efforts to disassociate themselves from the stock spam, through issuing a press release. Nevada-based oil firm Quantum Energy stated on 8 August:“Under no circumstances has the Company or any person or group associated with the Company participated or acquiesced with this SPAM activity...This SPAM is a reprehensible activity carried out by unknown parties.”The others were US/Canadian entertainment firm Goldmark Industries, US electronic surveillance label maker KMA Global Solutions and US oilfield services startup PetroSun Drilling.All were approached for further comment, but none responded. Some stock spam emails use plausible names and subject lines such as “FWD: ticker watch” or “Trader alert”, but many do not — one title line read ‘marketing holmium thulium erbium’ and other spam indicators such chunks of irrelevant text and odd formatting, to confuse spam filters, are often present. Infosecurity Today September/October 2006
Just like the real thing!
However, the main content is often well-presented, aping the format of stock analyst reports — although the kind written by analysts under the combined impact of a dot com boom and six double espressos.“Could this be the next Exxon?” asks one of PetroSun Drilling, which opened in June 2005 and had net income to the
end of the year of $21,495. In the second half of 2005, ExxonMobil — the world's largest company by market capitalisation — had net income of $20.63 billion.A few even have disclaimers: one ends with ‘WARNING: You can lose all your money by investing in this stock.’ Sophos' Paul Baccus says the credibility of the emails is important.“The problem they have is that if they want to make money, they have to look legitimate,” he says.“You wouldn't trust a stockbroker who couldn't spell stock.” However, both Sophos and Marshal think some buyers recognise stock spam for what it is, but act on it anyway.“We've seen smart traders who understand there is a scam going on, but if you get in fast enough and get out before the whole thing crashes, you've made money,” says Macnair. Embedded images
High-quality stock spam has been getting through by using embedded images — lots of them.When looking at a sequence of apparently the same email (as shown), the background colour may alter, pixels of "noise" change location or the font may switch.This means an automated scan for previouslyblocked images will fail, although both Sophos and Marshal say they can cope with this, in Marshal's case through optical character recognition. “Sometimes this backfires on the spammers,” says Graham Cluley, senior technology consultant at Sophos, of the attempts to tweak the images.“We see 'uncanned' broken spam, where all you see is static.” Another difficulty for blocking it is that stock spam does not require links, which removes the possibility
Trust eroded
Security expert Marcus Ranum, who among other things invented the proxy firewall, believes that stock spam will lose its effectiveness quite rapidly – but this will happen through an erosion of trust in email. “That's neither a good thing nor a bad thing – but as a long-time user of email I find it a bit sad,” he writes in an e-mailed response to questions.
“'We' made this amazing system [email] and it rose to a pinnacle of awesome functionality - and now we're right back where we started thanks to spammers, con-artists, stock pimps, etc” Ranum says that when he first used email in the mid-1980s, users called each other to check an email had arrived, due to the unreliable routing systems: now, users again call to check receipt because of spam filtering.“ 'We' made this amazing system and it rose to a pinnacle of awesome functionality — and now we're right back where we started thanks to spammers, conartists, stock pimps, etc,” he writes. “If anything, the stockspam problem is getting worse,” says Cluley. He says the technique could be developed further, such as through targeting users interested in a certain subject with stock spam about companies in that field, or
12
i n s i g h t
Goldmark Industries* The experience of Goldmark Industries — which made up 18% of all the stock spam received in the Infosecurity Today sample — seems fairly typical. Its stock was priced below $5 for several weeks before the campaign appears to have started on 6 July. On that day, volumes of stock traded went from 500 the day before to 38,600, the price peaked at $7.30 and closed at $6.25. On 12 July, which saw 75,900 shares traded, the price peaked at $9.15 and closed at $8.50, and it peaked at $8.90 again on July 26. But after that, the price gradually moved downwards. Several of the emails quoted sections of genuine Goldmark press releases: at the start of July, the firm announced a change of direction towards hip-hop and urban music, and has made supporting announcement on this since. Furthermore, the current prices quoted in the emails were usually correct - it's just that the price expectations were usually not. On Monday 17 July, one email quoted Goldmark's current price as $7.50 - it had actually closed the previous Friday below $7 - with a "Most Probable Target Price" of $8, which was exceeded eight days later. But on 24 July, another correctly quoting the price as $5.60 and mentioned a "Short Term Target Price" of $12, the same target price quoted in the emails reproduced here from 25 and 26 July, a level which the price never approached. On Monday 31 July, the current price was again correctly quoted at $5, with no target price mentioned, although the email did say "Get GDKI First Thing Today, This Is Going To Explode!". It rose above $7 on 2 August, but then drifted downwards. After having appeared in stock spam almost every day previously, Goldmark vanished from the in-box until 21 August, when its current price was quoted as $4.60 with a "5 day expected" price of $7.90. On Friday 25 August, the stock opened at $4.05. *NB: Infosecurity Today would like to make it clear that Goldmark issued a press release disowning the spam.
through using voice over IP to extend fake telephone messages purporting to be hot stock tips left on the wrong voicemail. Cluley adds that this “wrong address” technique has already been used in email stock spam. Stock spam still viable
A Russian price list recently released by Sophos, which suggests one group of
spammers charges $50 to hit a million email addresses in any country, shows why even if the vast majority of stock spam is blocked or ignored it is still commercially viable.Although a regulator such as the SEC could issue warnings that a particular firm was being attacked, this could damage the company unfairly - and could lead to ransom demands from stock spammers - or it could be counterproductive, with some traders watching for firms which could be bought for a quick increase. Instead, the SEC and other regulators offer generic advice (http://www.sec.gov/investor/pubs/cyberfraud.htm).
Marcus Ranum: time to fold the cards on email as a communication tool?
The SEC also brought charges against WebSky and its chief executive Douglas Haffer,“for selling WebSky shares in a subsequent transaction to an entity controlled by Stone and Diller without registering the transaction or
•
References *Böhme, Rainer and Holz, Thorsten, "The Effect of Stock Spam on Financial Markets" (April 2006). See http://ssrn.com/abstract=897431 **Frieder, Laura and Zittrain, Jonathan, "Spam Works: Evidence from Stock Touts and Corresponding Market Activity" (July 25, 2006). See http://ssrn.com/abstract=920553 SEC action against Stones: http://www. sec.gov/litigation/litreleases/2006/lr19 805.htm Collection of stockspam: http://worldwidespam.info/stock/
© SA Mathieson 2006. SA Mathieson writes about IT for titles including the Guardian and Health Service Journal.
Infosecurity Today September/October 2006
However, those generating stock spam are not above the law - and neither are the target firms, if they are accused of complicity. On 17 August, the SEC charged Jeffery Stone and Janette Diller Stone with making more than $1 million by orchestrating a fraud scheme to inflate the price of San Franciscobased WebSky using stock spam.
securing an exemption from registration”.WebSky and Haffer agreed to settle the action without admitting or denying the allegations, by returning the $35,000 paid for the shares, a permanent injunction against future violations of registration provisions in federal securities laws, and a $25,000 civil penalty paid by Haffer.
13