Internet Security Systems - AlertCon(TM)

PDF Spam 2.0

Posted by Ralf Iffert on October 23, 2007 at 1:28 PM EDT.

On Monday (October 22nd, 2007), PDF spams re-appeared. After two months of silence (there were nearly no PDF spams seen in the wild), PDF spams were brought back to life. From a technical perspective, these PDF spams are  very similar to the PDF spam threats of this summer:

  • Empty text body
  • PDF attachment with changing names like list.pdf, message.pdf, bulletin.pdf etc.
  • File size of the PDF attachments between 2k and 40k
  • Empty email subject or subject contains the name of the PDF attachment
  • First page of the PDF file contains stock information (in German), and the following pages contain random text (in English)

On Mon., the percentage of PDF spam was around 1% of all spam, and by Tue. morning (today) it has climbed to about 1.5% PDF spam.

The spam information about the stocks is in German, so it appears that German users are the main targets. In our local German spam traps, this spam makes up 7% of all German spam.

It will be interesting to see whether these PDF spams mirror the short episode of MP3 spam, which only lasted for a few days (last Wed. through Fri.) Perhaps the sequence of MP3 spam and PDF spam is a one-two punch to gain additional coverage?  Our researchers will continue to follow these trends and will post updates as changes occur.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.