MessageLabs has released its May 2007 Intelligence Report, which details specifics of security and threat activity for the month. The report noted that “image spam” accounted for 15 percent to 20 percent of spam in May.
Image spam is generated when botnets take a text message from a command to a control channel and turn that into an image that contains text.
The botnets have a template that can generate code and an image, and that image will be different every time the e-mail is sent. The content itself is the same, but the code in the botnet engine itself makes slight changes such as altering one pixel in the background of the image, adding extra lines or making the text slightly distorted.
This allows image spam to avoid detection by optical character-recognition anti-spam technology.
“It’s all about trying to defeat anti-spam countermeasures,” said Paul Wood, MessageLabs senior analyst. “If it’s just plain text, you can read the contents, you can fingerprint it, look for certain keywords, but if it’s an image, that becomes so much more difficult. If you have to use optical character recognition, then you are expending a lot more CPU cycles and a lot more resources, and it becomes much more expensive.”
He said this type of spam almost always is used to “pump and dump” low-valued shares on the stock market.
“They’re not trying to sell you Viagra or lure you to a Web site or anything like that — the sole purpose is to try and inflate the stock value of penny shares in almost all cases,” Wood said. “They target stocks and buy a bunch of those shares, wait a few days or weeks and then send spam, saying, ‘Watch this stock code because it’s going up.’ What you’ll find is that people, just because it’s been spammed out, will buy those stocks because they know it’s been spammed out and, therefore, lots of other people are going to do the same thing.”
In this sense, the image spam is functioning similarly to playing the lottery — recipients know they are encountering a sort of scam, but they still respond to it merely because it indicates a scam is being perpetrated and they can get in on it if they so choose.
Image spam is the preferred mode of communication for this scam because it doesn’t need to direct anyone to a URL or sell them on anything. Rather, it merely conveys the message and avoids detection by anti-spam technology.
The scam is largely effective but more for the perpetrator than the spam recipient who looks to get in on the action. A survey published this year by the Social Science Research Network looked at 75,000 unsolicited e-mails sent over an 18-month period. It concluded that spammers could make up to a 6 percent return on their investment by engaging in pump and dump, and recipients who act on the message typically lose between 5 percent and 8 percent of their investment.
“Spammers, or the guys behind this operation, have already bought the stock, and they know that when it reaches a certain point, they’ll sell these, and then the stock price will start to decay,” Wood said. “They can make a considerable amount of money from doing this.”
He added that you can watch this happen as it occurs by looking at the listing information that’s publicly available for share prices.