The US Securities and Exchange Commission has recently suspended 35 trading companies that are supposedly involved in “pump and dump” spam. In a statement released by the SEC, the effort — known as “Operation Spamalot” — aims to “protect investors from potentially fraudulent spam email hyping small company stocks”.

“Pump and dump” is a financial fraud that involves creating an artificial demand for stocks so that their prices go up. It’s a scam that has proven profitable; as the stock prices reach their peak, the scammers sell their stocks and stop creating the artificial demand, and the stock prices naturally drop even faster than they went up.

It is also said that pump and dump spam accounts for as much as 25% of all the spam that plague users all over the world. Thus, it’s not surprising that threat authors and other malicious users are riding on this “popularity”. NUWAR, for instance, is a family of worms designed to create a network of zombile machines that send this type of spam. In January, one NUWAR variant even partnered with the “Storm Trojan” TROJ_SMALL.EDW and became the first notable security event of 2007.

This move by SEC should serve as a warning to scammers. Consequently, this should also serve as a lesson to brokers and investors. After all, email messages with phrases like “ready to HIT BIG!” or “Fast Money” is never a good sign.

Related articles:

• War Against NUWAR: Fighting the Latest Profit-driven, Multi-component, Focused Attack
  
• TROJ_SMALL.EDW-WORM_NUWAR.CQ Tandem Combines Age-Old Techniques to Challenge STRATION

According to a handler’s diary entry in SANS ISC, there were a number of compromised sites that hosts a script-tag linking to malicious Javasipt on a Chinese web server.

I took a look at this incident, googling parts of the script-tag gave a quite a good result, there were a couple of compromised sites that hosted this script-tag.

Downloading the file being pointed by the script-tag, I found out it redirects you to a malicious HTML file that has malicious script codes. This HTML file in turn downloads an executable. This HTML file has codes in it for MS06-014. Both the files were already submitted for pattern creation, they will be detected as VBS_PSYCHME.ACU for the HTML file and the executable file being downloaded will be detected as TSPY_WOW.YO.
Virus reports are also being created and will be available in a few moments.

Please be careful in surfing the web. It’s a dangerous world.

SANS has a list of the couple of sites that was compromised with the use of google cache.
Note:We do not guarantee that the sites are already safe for viewing, but admins were already contacted by SANS.

- airindia.com

- acmt.net

- fireworks.com

- fci.org

- pbonline.com

- postbulletin.com

- post-bulletin.com

- k-1usa.net

- scsusports.com

- stariq.com

- erskinecollegesports.com

- installshield.com

- roundballclassic.com

- onebrick.org

- whozontop.com

- dove.org

- cvac.net

- honestreporting.com

- totallydrivers.com

- irinnews.org