PDF spammers already moving on to other filetypes, currently .XLS

PDF spam has continued to increase during the last 3 weeks and has moved from ‘pump and dump’ stocks to other types of spam such as pharmacy spam.

The spammers responsible for the recent .PDF based ‘pump and dump’ stock spam have also started to send pump and dump spam containing Microsoft Excel .XLS documents similar to the one below.

The XLS spam is advertising a German stock and is currently targeted at .de and German .com domains. The .XLS file may be compressed in a .ZIP file similar to the example below.

The spam shares the same traits as the PDF spam, so although the filetype is different, this spam is otherwise similar to the previous PDF spam. Its not unlikely that the spammers will try to embed other attachment types such as Microsoft Word and PowerPoint documents in the future.

During the last month as .PDF based spam has been increasing, .GIF/.JPG based image stock spam has decreased from about 20% of all spam to less than 10%. Overall the amount of ‘pump and dump’ stock spam is decreasing, this may be due to a combination of potential ‘investors’ becoming wise to these type of scams, law enforcement officials targeting this type of spam, and spammers having to continually change their spamming tools to avoid spam filters.

A worrying thing is that people may get complacent about Excel spam if it continues. Macro-based exploits are currently making a come back. Imagine what might happen if both the spam presentation and an exploit is combined. A person might open the spreadsheet and think that it was a pump and dump spam, in the meantime a payload would have been dropped.