New MP3 Spam Surges

The spam wars rage on. For every technique the spammers come up with, a defense is built pushing the spammers into new techniques in an alarmingly rapid game of cat and mouse playing out on the Internet every day. The latest volley from the bad guys? Audio spam. In October, the spammers tried using MP3 audio files to send a stock pitch, and volume surged. In 18 hours, this audio form of spam rose from being virtually nonexistent to become 10 percent of all spam traffic, according to several security researchers tracking the phenomenon.

The outbreak was the latest in a string of tactics used over the past several months that take spam beyond simple text ads. Most of these tactics avoid filters by using file formats not generally blocked or difficult for filters to disassemble and search for telltale signs that the message is junk. The change started with image spam, which uses picture files to bypass filters. That was followed by spam that uses the PDF file format. Now comes the audio MP3 version. In each case, the primary use of the spam was a pump-and-dump stock scheme. The message tries to entice its viewer (or listener) to invest in a penny stock. If enough recipients decide to invest, the price surges, sometimes doubling from, say, 15 cents to 30 cents. The originators of the scheme, who own thousands of shares, then dump their shares at the stock’s peak. The tactic was so effective with image spam that the Securities and Exchange Commission halted trading on many penny stocks to diffuse the problem.

In the audio version, the user receives an MP3 file that is socially engineered with a name that invites clicking, either because it is a popular band name or a title that seems personal. Some documented titles include oursong.MP3, weddingsong.MP3; santana MP3, sayyousayme.MP3, smashingpumpkins MP3, bbrown.MP3, bspears.MP3, beatles.MP3, answeringmachine.MP3, coolringtone.MP3 and listentothis.MP3, according to researchers at Cyberoam, who are tracking the problem. When opening a file, the user hears a synthesized voice pitching the penny stock. The quality of the voice is extremely poor.

SecureWorks senior security researcher Joe Stewart says his first reaction was that audio spam, while clever and clearly able to bypass filters, is probably destined for a lower success rate in the pump-and-dump game, both because of the poor quality of the audio and because the amount of end user intervention required will limit respondents who decide to invest. “Who’s going to open a stranger’s MP3 and listen, and what’s the chance they’ll repeat that action?” says Stewart. “With visual spam, all you have to do is glance.” What’s more, in many inboxes the visual is displayed as the message is selected, making it hard to avoid seeing.

Still, these tactics tend to evolve rapidly from crude to sophisticated. Stewart acknowledges this could simply be a test run for a better audio spam attack in the future. He also notes that the audio file didn’t appear to contain any malware that would download onto a PC, but that feature could certainly be added. Also, regardless of how many people fall for it, MP3 spam presents a more basic problem: bandwidth consumption in transit. As spam evolves to take advantage of bigger files it chews up more bandwidth just trying to get to its destination. This was a significant problem when image and PDF spam peaked, and researchers now report that MP3 spam is arriving as even bigger files than image spam.

Though this may raise the ire of users who like to share music, filters will eventually be adapted to block the audio spam, forcing the spammers to come up with something new again. No doubt, they will.