DEFCON Conference 17. “Stealing Profit from Spammers: How I Stopped Concerning about Spam and Loved It.” Grant jordan

    Before I talk about our project, I want to tell you who I am, Grant Jordan, and who Kyle Vogt is, who works on Justin.tv. We are students at the Massachusetts Institute of Technology who have a lot of free time. And we have many interesting projects, such as a device for breaking safes, which allows you to open safes with the highest degree of protection. However, to understand why we are engaged in spam, the answer to the question will help: who are we not?

    We are not stock market experts, spammers, or people who suddenly get rich playing the stock market. Therefore, everything that I will talk about the stock market and spam is a look from the outside, that is, the experience of people who are not directly related to this. When we started doing this, everything looked like through soda bubbles, and therefore the project reflects our view of things at that time. We had too little information, we had no idea how the botnet works, how spammers manage it and how they send information to your inbox.

    Each time you open your mail, you find spam there. This advice on how to increase the size of the penis, or letters from the "bad" girls from Russia, or a notice in which the former prince of Nigeria reports that he made you the heir of his millions. However, one type of spam attracted more attention than others - it was stock market spam. These were strange “tips” calling to buy certain stocks, the rate of which is about to jump “above the roof”. Like most people, I deleted this spam, but once Kyle gave birth to one of the stupidest ideas I have ever met: “There must be a way that will help us to take away some of the money from these very spammers!”

    After several attempts and failures proving Kyle’s wrong, for 4 months we plunged into the study of the dark depths of exchange spam. As a result, we concluded that it is possible to judge some things without even understanding what exactly lies at their base. It is enough only that information that is in the public domain and which everyone possesses.

    Today I will explain to you how we moved from the manual sorting of tens of thousands of spam messages to the strategy of “snatching” pieces from spam messages. Our work allowed us to obtain data that disproved the results of almost all studies of exchange spam existing today.

    It all started in October 2006, when all network users were literally overwhelmed with spam mailing with letters offering to play on the stock exchange of gold mining companies GDK. It was then that Kyle said that there should be a way to “fuck” money from these spammers, to which I replied: “You are an idiot, Kyle”!



    I will explain why at first it seemed to me that Kyle was wrong. The profit was based on asymmetric information on the principle "I know what you do not know." No one could trade if he sold goods at the price at which they would want to buy. That is, I will offer a price, but I don’t know if you can pay it, but you will offer payment without knowing whether I will agree to it. If this were not so, all prices would be fixed. Therefore, everyone knows that such financial information is always valuable.

    So everyone gets spam. What do we know that others do not know? First we had to find out for ourselves what all these people do with the received spam, how they react to it. Maybe they are really tempted by the offer and buy stocks? If spammers send out such letters, it means that someone “pecks” them! What is the process? They send spam, then what happens is unknown, and after that spammers make a profit!



    The process is a classic Pump & Dump scheme - Pumping and Dumping, in which unscrupulous traders inflate interest in pre-purchased stocks in order to sell them to inexperienced investors at an inflated price.



    As a result, profit settles in their pockets, and the client suffers losses when selling artificially inflated stock prices. The anatomy of Pump & Dump is as follows.



    I own 100 shares of a company worth $ 1 each. I go to the exchange's bulletin board and tell everyone that these stocks are skyrocketing. People are starting to buy these stocks, and they are rising in price. When the price rises to $ 2 per share, I sell my 100 shares and make $ 100 profit. Demand was created artificial, everyone who wanted to buy these shares bought them, and there are no more buyers. Owners of shares want to sell them and find out that there is simply no one to sell them! Nobody wants to buy more stocks at that price, and they begin to fall. Moreover, the price drops even lower than the one at which they were initially offered. Everyone suffers losses, except for the one who started this whole combination.

    The following picture shows my profit and their losses. My profits grew gradually, and their losses were swift. This is called the "calling of customers." The concept is old and well-known - it can be oral campaigning, the speculative advertising project “Boiler Room” or forums. However, spam provides you with a wider audience for a low price.



    You can report information that is beneficial to you to millions and millions of people. Profit depends on how early you started inviting customers. The amount of loss depends on how quickly you started selling your shares. Recent sellers get almost nothing, that is, they simply throw money away.

    What types of shares do spammers trade? These may be cheap Penny Stocks or OTC OTC that are not listed on NASDAQ, NYSE or other national exchanges. There are various types of OTC, BB, and Pink Sheets. These may be Thinly Traded stocks, the price of which is close to zero, or cheap stocks with high price volatility. If the value of such a stock is within $ 1, even a slight increase in the exchange rate can bring substantial profits.

    You can invite customers to buy their shares through the NYSE, but in this case, your profit will not exceed the average market performance. For example, you can encourage customers to buy Apple stocks, they will start to buy them, but they won’t get much profit when they sell, because Apple stock trading is going well and they are always in price. It should be borne in mind that the Pump & Dump scheme is illegal on all exchanges, and you may be prosecuted for this.

    So, we know the scheme by which spammers work, but we do not know which company is profitable. But the main problem is that someone really believes spam and there are so stupid people that they buy these shares. I always delete such offers from the mail. But when Kyle and I interviewed our colleagues, we found out that enough people still bought these GDK shares last week.

    We looked at the stock exchange rate of these shares and saw that it had risen in price by 60%, and the total number of shares exceeded 600 thousand. The spammer’s profit at the initial share price of $ 1 could reach 250 thousand dollars. These statistics impressed us very much!

    If we look at the graph, we will see that spam began to attack customers on Friday, October 20. Prior to this, the stock price was approximately $ 1. And already on Monday, October 23, the stock price reached a peak.



    We were interested in why spam began to be sent on Friday, just before the stock market and the exchange closed. However, this was only the beginning, because 250 thousand dollars is not such a big profit. We checked the rate of the same stocks after 2 months and saw a completely different picture! Here the game was going big.



    In 5 days, the stock gained 300%, and 10 million shares have already brought $ 30 million in profit! We could not believe that there were so many simpletons who invested their money in these soothers. However, the fact was on the face, and we wondered - what can we do in this situation?

    We found out such interesting information. During the first week of October, we received offers to buy shares in twenty different companies, but only 3 of them made a profit, with GDK being the most tangible. The remaining 17 types of shares did not bring anything.

    We wanted to figure out why this happens, why some stocks make a profit, while others do not. What information did we have? Approximately 1,000 offers per week and exchange information for the previous week. That is, we could connect the results of the previous week’s trades with the volume and name of the next week’s mailings. Everyone had exactly the same information, we had nothing special.

    What did the rest of the spam researchers say? Freder and Zittrane in their work on spam reported: "It is proved that the inviting of buyers is associated with market activity." Their research covered 2004-2005 and was quite serious. Hanke and Hauser in their article “Efficiency of spam mailing of offers to buy shares” also reported that there is a connection between the volume of spamming and the price of shares offered in them on the market. The more spam is sent, the more profit the spammers receive from the shares offered for purchase.

    Many researchers have argued that since the stock market crash of 2006, spamming in this area has died and is no longer affecting the stock market. But this could not be, as tons of offers continued to come to us!

    What was the difference between spam mailing lists 2004-2005 and 2006-2007? The former contained mostly text that was screened out by spam filters. They analyzed whether the letter contains the word “stocks” and whether there is a graphic symbol for a stock. If the conditions were met, the message was marked as spam. The second contained mostly graphic information, pictures that spam filters could not track.

    So, we asked ourselves: how can I sort graphic spam? After analyzing several graphic recognition programs, we realized that sorting is possible only manually! And we did it.



    This is what it looked like on our computer: folders that contained a lot of graphic files, and packs containing hundreds and hundreds of email addresses of spammers. And we managed to sort it all out!

    We spent 14 weeks sorting, processing more than 50,000 spam emails and 12,168 shares. As a result, we got some data. Here's what we learned from them:
    previous results, the relative power of the botnet network, the identification of unique signatures of spammers.

    The relative power of the botnet allowed us to sort by stock symbols and link specific email addresses to specific symbols.

    Consider the diagram that shows the dependence of the number of letters with the distribution of GDKI shares by day of the week.



    The vertical green dotted line shows the time when the market opens, red - the time the market closes. Yellow vertical lines delimit the period from Friday to Friday, when the broadcast begins. The remaining colored lines at the bottom of the graph show the intensity of the distribution of other shares - it grew and stopped, and only the distribution of GDKI shares constantly increased.

    And here we noticed an interesting feature: GDKI spamming freezes during the market, that is, no letters arrive between the opening and closing of the exchange! This is indicated by the horizontal segments of the distribution volume graph.

    Which conclusion follows from this? The guys who send out letters are exactly at this time busy in the market - they are the ones who sell the shares! Therefore, they do not have time to send letters.

    Further, we noted that at the same time the botnet network activity that sends GDKI stops. This allows you to identify a network of botnets or spammers, the organization that sends out these emails. Consider what a spammer’s signature is. Each spammer uses his own style of email: the location of the text, the encoding of the letter, the type of capital letters, font style.



    This is easy to see if you look at each of the 50,000 received emails with your own eyes.

    And here we come into the game! We choose a successful spammer, who in a certain week has overwhelmed us with the maximum volume of letters. Then we check its activity next week, compare it with the previous one and so on. If we find stocks that have the same dynamics in the market as the dynamics of mailing letters, then we establish a connection between a specific stock name and a specific spammer. In the end, we get the email address of this spammer.



    What do we do next? We monitor market activity and spamming next week and draw up the same schedule. And what do we see? Practical repetition of the GDKI chart, only this time it is a completely different stock - SBNS stock! What does an email look like “wringing” SBNS shares to us? In the same way as the letter urging you to buy GDKI shares! That is, the same spammer with a characteristic signature style carries out the newsletter. It uses the same botnet network, as evidenced by its activity.

    We continue our work further. The third week of observations gave us 3 more charts of spam mailing of other shares:



    One of these guys is definitely our spammer - now he sends out SRRL stocks, the same distribution dynamics and the same style of letters. But the other two spammers have a completely different style. The second EGLY schedule is specific in nature and has a fixed distribution volume. We compared these distribution charts with market statistics - do you think the second and third guys had any success? After all, they also rapidly increased the volume of mailing! It turned out that nothing similar was observed with EGLY and CNPM, that is, there was no sale of these shares at all!



    Why did this happen? Once again, take a look at the letter from the first spammer and the letters from the other two. That is the problem - their distribution is just text, bare text! Compare what the mailing list of the first spammer looks like and what the mailing of the other two looks like. They used such a powerful botnet network, but did not achieve any result, because they sent simple text.

    Next 4 weeks - our hacker began to send out MPRG offers. The same writing style, powerful mailing. At week 5, we see the same powerful spammer mailings, the same botnet, and again no result on the exchange.



    Within 5 weeks, the spammers sending the text did not achieve any result, and at week 6 they practically stopped sending them. You see that the scale of the number of mailings has changed from 300 to 900. One of the text spammers offering APWL shares increased the mailing to the maximum, the second, WEXE, remained at the same level. The increase in spam did not bring any results, and APWL did not appear on the exchange.



    We looked at how many shares of WEXE the spammer acquired. The amount was impressive - about $ 2 million. That is, he invested a lot of money in a dummy, without winning anything. And in the seventh week, he completely disappeared. We don’t like getting spam, but this guy’s failure upset us. Thus, spammers sending text spam behave like crazy. They continue to do this again and again, spend money and do not even try to figure out the cause of their failures.

    Until mid-January 2007, nothing interesting happened in the spam mailing list. Over the course of 13 weeks, spammers completely went crazy - they continued to spam 15 stocks in the same text format and again achieved nothing. I did not even try to depict this on the chart - so many mailings of different stocks did not even fit.

    Observations allowed us to come to such conclusions: you can not follow the mailing of the remaining spammers, we already knew what it would be, we calculated the “winner” using one of its mailing lists, as soon as the first spammer sends the first letter, we begin to buy advertised stocks!

    We started buying stocks at this moment, which is shown on the chart:



    We became participants in his game, following his rules, and thus were able to snatch our piece of the pie.

    This is what the Jordan-Vogt method consists of: sorting the weekly spam volume by stock symbols, determining the spammer by the mailing style, comparing the past results of each spammer's activity, identifying the most successful spammer, as soon as the first letter from this spammer appears, start buying stocks, wait, until their value reaches a peak, and immediately sell!

    Does this method work? Yes and no. It works for several weeks until all possible niches in the market are filled with spam. Even successful spammers suffer losses, like that guy with $ 2 million. Botnet networks sometimes crash. There is an effect of spam, attracting the attention of the SEC - the Securities and Exchange Commission. Here is an example of Operation Spamalot, Operation Too Much Spam, which was conducted in March 2007.

    SEC tracked operations at 35 trading floors. As a result, 2 Texas residents were accused of illegal trading on the stock exchange and fraud in the amount of $ 3.8 million. The operation began due to the fact that SEC lawyers became interested in a lot of spam with stock advertising, which was sent to them by mail.

    Can our method work again? Maybe. Spam is sent cyclically, botnet networks appear and disappear.

    In April 2009, I again reviewed my spam folder, which contained about 3,000 thousand mailings. I saw that the most advertised drugs, then went simple fraud, watch advertising, the sale of diplomas, sexual services, books, job offers, games. There were no letters offering to buy stocks at all!



    It even upset me. Probably what we could make out, others could see. Therefore, the system for generating profit through the spammer mailing list of stock advertising has failed. Can it be reborn? Enough time has passed, and this option is not excluded. In this case, the Jordan-Vogt method will work again.

    Now you know about it, so you can also take part in the game if it starts again. But this process will be different from what happened 3 years ago. You know the system, many people know it, so people who bought stocks will seek to sell them as soon as possible. The duration of the process will decrease faster and faster, the time between buying and selling shares will begin to rapidly decrease. It is possible that as a result only losers and those who are “off topic” will remain on the market.

    Therefore, I had a new idea - to change the strategy of the “I know what you don't know” approach to “I know what you know, and you know that I know about it.” I see you like my new approach! Well, time will tell!

    And now I will answer your questions.

    - Can we thus study other stock markets, for example, European or Asian?

    No, we can’t, because we receive spam mail from other countries. Even if you suddenly receive a letter from Korea, you still cannot read it. Although I know a group from Germany that studied stock spammers in 2007, and instead of using graphic mailing they used .pdf files

    - Can we bring down the market before the spammer starts selling his stocks?

    I think no. Spammers use random companies, and we will not know about the beginning of the process until specific stocks appear on the market. You can even track specific spammers, but we won’t know which shares they are interested in; too many cheap shares are traded on the stock exchange.

    - Could the SEC be interested in our activities, as we monitor the stock market and exchange activity?

    Yes, maybe we can’t do anything about it, it’s their right.

    - Why did spammers choose the shares of these companies?

    Good question! We think because they were directly related to these companies, perhaps they even worked there and thus wanted to improve their personal condition or the affairs of their company. Or, they specifically turned to companies whose shares were illiquid, and bought them at the lowest price in order to earn. It is possible that the companies themselves had no idea what was going on with their shares - they woke up one fine morning and saw that their shares were flying everywhere, but they could not understand the reason for such popularity.

    - What is the volume of shares indicative for the study, or how to scale the value?

    This is not too important. You can watch hundreds of shares or several thousand shares, the main thing is to fix their growth. If they rise in price by 5% - do not pay attention, and if by 50% - then it is worth looking at them.

    - Do I need to pay attention to the information posted in the spammer letter, the recommended price or other characteristics of the action?

    I don’t think this has any meaning, usually the description of the proposal is the same for successful stocks and for “dummies”.

    - Does the duration of the sale of shares on the stock exchange have any significance, is it connected with anything?

    We did not notice the relationship between the speed of the sale of shares and other characteristics. Sometimes it was possible to sell all shares in 1 day, sometimes it took 5 days to do this - you just need to observe the dynamics of price changes on the exchange.

    - Is sales success repeated?

    Yes, we observed how the sale of the same shares was successful this week, and the next, and after a few weeks. If we did not notice any success a few weeks before the start of sales, then we can see that such success was a year before. That is, success is cyclical.



    - Is it worth paying attention to unpopular cheap shares directly on secondary exchanges, rather than learning about them from spammer mailings?

    Perhaps if you understand this. Because you can respond to spam mailings and as a result do not receive any profit.

    - Have you noticed any features of spam mailing like hacked accounts?

    We did not pay much attention to the technical side of the newsletter, we were more interested in its volume and style of specific letters. We saw that some letters came from strange mailboxes, some mailboxes were registered in Russia, that is, the botnet network could use any addresses.

    - Is it worth it to use not the spammer mailing list, but the forums of buyers of shares?

    Yes, it’s worth it, it helped us in a forum where people discussed the trading and success of GDKI shares in late 2006 - early 2007.



    Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or recommending it to your friends, a 30% discount for Habr users on a unique analog of entry-level servers that we invented for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR4 240GB SSD 1Gbps from $ 20 or how to divide the server? (options are available with RAID1 and RAID10, up to 24 cores and up to 40GB DDR4).

    Dell R730xd 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v4 128GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about How to Build Infrastructure Bldg. class c using Dell R730xd E5-2650 v4 servers costing 9,000 euros for a penny?

    Also popular now: