Internet Security Systems - AlertCon(TM)

Heard any good spam lately?

Posted by Ralf Iffert on October 19, 2007 at 10:19 AM EDT.

A new spamming technique arose this week:  MP3 spam.  Spammers have been emailing verbal stock tips in MP3s masquerading as songs.

On Wednesday evening (October 17th, 2007), IBM ISS started tracking new type of spam that uses an MP3 attachment to lure people into following questionable stock tips.

Most samples seen in the past few days share the following characteristics:

  • Empty text body
  • MP3 attachment with changing names like elvis.mp3, beatles.mp3, loveyou.mp3 etc.
  • File size (of the MP3 attachment) between 50k and 130k
  • Empty email subject or usage of the MP3 attachment name

When the user plays the MP3, a woman, in a masked British accent that almost sounds computer-generated, reads out stock tips, such as "We are expecting amazing results ... get on E-X-T-O."  The dialog is nearly identical in each sample we have analyzed, but almost all of the MP3 files contain binary differences in an attempt to evade detection.

As of Friday morning October 19th, 2007, this new type of spam accounted for less than 1% of the overall volume of spam.  However, if spammers pursue a similar strategy as with PDF spam (and some characteristics of the MP3 spams are similar to characteristics of the PDF spams), then we can expect to see much higher rates in the next few days or weeks. It's unclear how successful this spam type will be, since many business do not use MP3 files for any business purposes and can easily filter these file types out at the gateway.  Consumer users are the more likely target, since it's unlikely that ISP would filter out MP3s.

In any case, our researchers will be keeping their eye on this new threat and anticipate that, like the rise of file-format vulnerabilities, further document types may also be on the horizon.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.