Trending Stock Spam Sent By Botnet-Infected Domains

 Analysis by: Mary Grace Ermitano-Aquino

 It seems that cybercriminals are now going after stock traders, as since June20, our team of engineers have been observing a large spike of stock trading spam purporting themselves to be filled with exclusive, secret get-rich-quick stock trading tips.

The first variant spotted claimed itself to be a legitimate message from 'Real Investments Daily Tip'. A few hours later, another similar spam arrived, this time with salad words appended at the bottom of the spam body, most likely to bypass typical mail filters. This one sold itself as coming from 'Investors Hub'.

June 21, and even more variants of the spam came to our attention, this time pretending to be from 'Investors Hub News'. These came with subjects that tried to bait stock enthusiasts and traders to read them, such as 'This stock will go nuts today', 'Looking for an amazing stock to buy?' and 'This is the next big stock play'. The spammed mails also contained images and salad words were again appended at the bottom part of the mail. Another wave of spam was also seen in the following day, sporting the subject 'Invest today, cash out next month'. These variants claimed their senders to be Scottrade and TD Ameritrade, both reputable stock trading firms.

Later variants were seen to ape messages from Bloomberg, Market Club Daily and Money Runners. The latest variant even came with a vCard attachment. Checking the vcf file, the forged sender seems to be from Rainbow International Corporation, a company focusing on distributing Bohemian crystal. 

Looking deeper into all the stock spam variants received, we discovered that all of them seem to be related to RNBI. Upon checking the sender IPs, they are listed in the Complete Blocking List(CBL). The sender domain appears to be infected with a spam sending trojan, proxies or some other form of botnet. The IPs are infected with the KELIHOS spambot. In other words, it's participating in a botnet.

We once more urge users, stock traders or no, to never open or humor spam mails such as these, especially when they try to impart financial advice.

Trend Micro detects and blocks all spam related to this spam campaign.

  • ENGINE:7.5
  • PATTERN:0768