Massive spam campaign

Yesterday we saw a massive spike in spam coming into our traps. Around 4.40pm BST (8.40am PST) a large PDF stock pump-and-dump campaign started which increased the spam seen at customers’ gateways by 30%. The campaign first appeared in our traps in Germany but quickly spread around the globe.

PDF-based spam has been increasing over the past few months, but what makes this campaign unusual is the sheer volume. The rise in PDF spam has been linked by some security analysts to the recent eCard outbreaks.

The cycle is as follows: the eCard spam campaign contains links to website hosting malware, and users who unwittingly click on the link get infected. These new recruits to the spammers ‘botnet’ are used to dynamically create a PDF file containing the details of the latest stock pump-and-dump target, based on instructions from the ‘botnet’ owner.

These PDF files are then spammed out from a variety of sources.

The campaign is still going 15 hours after it started, the peak in volume last during the first 2 hours.

The focus of this particular campaign is “Prime Time Group Inc”, which described itself as “a forward thinking company that has interests in wireless products and services for today’s youth market.” Recently, the company announced plans to open two new stores in Puerto Rico, and it is this news that seems to have attracted the attention of the spammers.


You may notice that the PDF is actually 10 pages long, the remainder of the PDF contains random characters and may well vary to try to fool a simple ‘checksum’ detection (but I’m still investigating this).


Of course there is nothing to suggest that the company in question have anything to do with this campaign – it is the sheer size of this campaign makes it noteworthy. To date, the trend has been for smaller campaigns that rapidly evolve and modify themselves to try to get round anti-spam products. We will be watching closely to see if another campaign starts later today.

One question I am often asked is how can we work together to stop the rise in spam. While Sophos works around the clock to protect our customers from spam, malware and web threats, taking a look at the stock price shows why these campaigns continue. The share price of this particular company has risen by 60% since last Friday, so while recipients of this type of spam continue to try and profit on these ‘Tips’ stock, spam will continue.