COLUMN

Spam crackdown: Bloggers take on the SEC

By Bill Brenner 16 Mar 2007 | SearchSecurity.com Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

The commission ordered the trading suspensions -- part of an effort it calls Operation Spamalot -- because it questioned the accuracy of information about the companies involved. The SEC's main target is potentially fraudulent spam email hyping small company stocks with phrases like, "Ready to Explode," "Ride the Bull," and "Fast Money."

"It's estimated that 100 million of these spam messages are sent every week, triggering dramatic spikes in share price and trading volume before the spamming stops and investors lose their money," SEC Chairman Christopher Cox said in a statement on the SEC Web site. "When spam clogs our mailboxes, it's annoying. When it rips off investors, it's illegal and destructive."

Obviously something has to be done, but such draconian measures seem like they're probably going to fail in the end. Kurt Wismer, computer scientist, Anti-Virus Rants blog

Security bloggers applauded the SEC's efforts this week, but there's plenty of skepticism over the long-term benefits of the crackdown. Some even worry that Operation Spamalot could end up hurting people who don't deserve it.

"I think it's kind of interesting that the SEC has decided to halt trading of companies that have been the subject of stock spam ... interesting in a 'how many ways can this go wrong' sort of way," computer scientist Kurt Wismer wrote in his Anti-Virus Rants blog. He referred readers to a point Beyond Security CEO Aviram Jenik made in the SecuriTeam blog about the potential problems Operation Spamalot presents.

Jenik wrote that the SEC is doing the right thing by fighting stock spam.

"The best way to fight the 'pump and dump' schemes is through the body that is responsible for controlling stock trading," he said.

But he also sees a "slippery slope" where companies could be wrongly punished because their stock appears in a spam message they had nothing to do with. "Is it the company's fault that someone is running a scheme on their stock?" he asked. "Quite the contrary … The company's stock usually takes a dive, and unless the company's owners are in on the scheme they have the most to lose from this fraud."

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com. Recent columns: Blogosphere highlights DST security concerns Black Hat RFID controversy has bloggers up in arms Microsoft takes a blogosphere beating over Vista UAC

Wismer wrote that a company could send out fake stock spam made to look like it's coming from a competitor in hopes of getting trading of the competitor's stock suspended.

"Obviously something has to be done, but such draconian measures seem like they're probably going to fail in the end," he said of the SEC's tactics. "Aside from the fact that our inboxes get deluged with the stuff, isn't the key to the stock spammer's success the fact that the recipients are purchasing the stock in ignorance [and] couldn't that ignorance be addressed?"

He also wondered if those who buy such stocks get a warning about the fact that the stock has been spammed and that "if they're buying it purely on the word of some email they received they may be deceived?"

While there is the possibility that the wrong companies could be punished in an effort like Operation Spamalot, security giants Symantec Corp. and McAfee Inc. make another point in their blogs: The spammers are making so much money right now that they are unlikely to be deterred by the SEC's crackdown.

"Until the people behind the spamming are caught, this type of scam will probably continue," Josh Harriman wrote in the Symantec Security Response blog. "The possible financial gain is such that the individual(s) responsible will probably continue taking these risks."

Kevin McGhee agreed in the McAfee Avert Labs blog.

"It is good to see something being done about this variant of spam but I wonder if this going to work," he wrote.

He noted that a stock spam campaign usually lasts a few days or weeks. "The examples given in the SEC's press release were stocks that were being spammed in September, December, and January but the trading suspensions will last for just 10 business days," he wrote. "In the past two days we have observed at least 14 different stocks being spammed and only one of which appeared on the SEC's list of 35."

While the SEC's tactics may have some merit, he said, "it will ultimately fail unless the spammed stocks can be suspended on first sight of spamming activity."

Tags: Email and Messaging Threats (spam, phishing, instant messaging),  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Email and Messaging Threats (spam, phishing, instant messaging) Unified communications: Securing a converged infrastructure Chained Exploits: How to prevent phishing attacks from corporate spies 3FN.net ISP shutdown interrupts spam campaigns Swine flu outbreak results in spam pandemic What does 'invoked by uid 78' mean? Economy fuels malware, spam Internet Explorer 8 includes a bevy of security features Adobe JBIG2 exploits being spammed, IBM warns Fierce competition prompted new Cisco email security options Cisco brings email security appliances closer to SaaS Email and Messaging Threats (spam, phishing, instant messaging) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary CAPTCHA  (SearchSecurity.com) challenge-response system  (SearchSecurity.com) crimeware  (SearchSecurity.com) pharming  (SearchSecurity.com) phishing  (SearchSecurity.com) Register of Known Spam Operations  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) Sender Policy Framework  (SearchSecurity.com) spam cocktail  (SearchSecurity.com) spear phishing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary