Pump-and-Dump Scammers Turn to Excel

Pump-and-dump stock scammers have begun using Microsoft Excel spreadsheets to deliver their get-rich-quick schemes, another in a series of moves they've made trying to slip past antispam filters.

E-mail security vendor Commtouch Software Ltd. spotted several spam runs Saturday that feature Excel attachments with file names such as "invoice20202.xls" and "stock information-3572.xls."

The Excel worksheets contain the unsolicited message, which, as in all classic pump-and-dump scams, touts shares of one or more lightly-traded companies as hot and ready to climb. The fraudsters, however, have already bought shares and only spam their shills to get others to buy in. If enough do, the price goes up, and the scammers sell their holdings. The duped recipients of the spam are left holding the bag when the price later plunges.

According to Amir Lev, Commtouch's chief technology officer, the turn to Excel is just the latest twist in the scam. "Excel is a natural progression after the recent spate of PDF spam, which itself is a natural development from basic image spam," said Lev. "We expect other file formats to follow suit. Think of the spam potential in PowerPoint files or Word documents."

Pump-and-dump spam has been rapidly changing tactics, dropping images and substituting PDF files to evade spam-blocking software. Virtually every security company has set out warnings of recent big spikes in the amount of PDF-based spam. In fact, Commtouch was one of the first. Spammers started using PDF files only a few weeks ago; before that, they relied on embedded images to get their content past filters.

Most users associate danger and Excel files because of the latter's use by hackers to delivery malware. Sporadic attacks, often very narrowly focused, using Excel spreadsheets -- as well as other Microsoft Office file formats -- have been launched since early 2006. For example, in June a Commtouch rival, U.K.-based MessageLabs Ltd., reported that 95 percent of all targeted attacks -- those where one piece of spam was shot at one user -- involved Office file attachments.