On average, stock prices climbed almost 2% the day the spam went out, according to two university researchers. And the more spam sent out about a specific stock, the higher the increase in its price.
Pump-and-dump stock spam works, a pair of German researchers said Thursday as they presented findings at a security conference taking place in Vancouver, Canada.
According to a report posted on the Symantec-owned SecurityFocus Web site, the researchers snared 22,000 stock-related spams between November 2004 and February 2006, then traced prices for 93 of the nearly 400 stocks mentioned in the junk e-mails.
On average, said Thorsten Holz and Rainer Bhme, academics from the University of Mannheim and Dresden Technical University, respectively, stock prices climbed 1.7 percent the day the spam went out.
And the more spam sent out about a specific stock, the higher the increase in its price.
Pump-and-dump is a tactic used by unscrupulous investors to hype a stock in the hope that the price will go up; if it does, the spam senders quickly unload their holdings for a profit.
The two, Faisal Zafar and Sameer Thawani, primarily used Internet message boards to falsely puff up stocks, often by playing on terrorism and pandemic fears. In one instance, Zafar posted messages after the London subway bombings in 2005, and claimed that the touted company was receiving a contract from the Department of Homeland Security to improve security on New York City subways. In another, he said that a stock issuer was acquiring a company which produced avian flu vaccine.
A federal court has frozen the men's assets.
"The defendants preyed on innocent investors by using the relative anonymity of the Internet to manipulate the market," said David Rosenfeld, an SEC associate regional director, in a statement. "We have acted today to stop a brazen fraud and hold the perpetrators responsible."
Zafar and Thawani registered scores of online identities to make it appear as if numerous people were recommending the stocks. They sometimes posed as moderators of message boards dedicated to low-priced stocks, but they also used spam to spread the word.
The spam, said the SEC, alerted investors of imminent "news" about a hyped stock, and urged recipients to buy before the bogus news went public.
Pump-and-dump spam has soared, security companies have said. According to U.K.-based security company Sophos, stock-related spam went from less than 1 percent of all spam at the beginning of 2005 to over 13 percent by the end of that year.
In Holz's and Bhme's 2004-06 research, pump-and-dump spam accounted for about 3 percent of all the junk mail collected by their honeypot systems.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.