For background, see our first post about the previous campaign.
Someone is blasting out a massive email campaign trying to pump up shares of OTC Rainbow International Corp (RNBI) penny stocks. RNBI has been the subject of these scams before, including one last month that was a dud.
So far, it's not working. We'll see if enough people are suckered in this time to actually raise the price. As of this afternoon, it has been trading between three and five cents a share. That's much lower than the last time this was tried; and probably not enough of a change to make much money.
How a Pump and Dump Scam Works
In a Pump and Dump, the scammer tries to inflate the price of a (usually cheap) stock with fake positive news about the company. Since there isn't a lot of reliable news about "penny stocks" (under $5), it's easy to manipulate their price through rumors like this.
Once the price rises from gullible investors buying up shares, the scammers sell theirs off at a profit. That, of course, sends the price plummeting and leaves victims holding the bag of near worthless stock.
About this RNBI Pump and Dump Stock Spam
We blocked a new massive "pump and dump" stock campaign today involving the often pumped and dumped Rainbow International Corp (RNBI) penny stocks. We've seen this stock manipulated before, but this time the spammers have added some new twists to try and fool antispam programs. It didn't fool SpamStopsHere.
As before, Rainbow International Corp appears to be a perfectly legitimate company and may very well just be the innocent target here.
Here is what the new spam emails look like. You may see variations on this.
Our 24/7/365 spam review team caught this new pump and dump scam over the weekend and blocked it, protecting our customers.
The main message of the email (to buy RNBI stock) is a large image, not text. That's one trick spammers use to fool antispam programs; they hide "trigger" words in an image. Since we don't usually block on individual words, that doesn't matter to us. We know instantly that the email is spam, and then block it by adding its other signatures to our database.
There's also a cheesy-looking "Ameritrade" logo in the image, Hopefully, it's not good enough to fool anyone.
New Tricks in this RNBI Scam
The last time we wrote about a Pump and Dump (which was also about RNBI stocks), the campaign was very simple. The email was not much more than a subject and an image.
This time, the spammers added in some new tricks often used to defeat other antispam:
- Fake links: There are some text links (privacy rights, contact us, etc.) after the image to make the email look more legitimate. In a lot of spam these are real links that lead to dangerous files and web pages. Those so-called "click-me" links (URLs) are a powerful way for us to detect spam. It's expensive for spammers to constantly buy new domains, so click-me links tend to remain the same during campaigns (sometimes across multiple ones), and are easy targets for non-heuristic antispam algorithms like our URL filter (one in a sequence of independent filters).
The URLs here include the recipient's email name plus some random characters and domain name. Clicking them goes nowhere, although you still shouldn't try. Apparently the scammers are trying to get around URL filtering, because the links would not have appeared in spam sent to anyone else. But it didn't fool us. Our filters each identify spam independently, so we could block the campaign regardless. Still, we update our database with these new URLs so they'll be blocked by the URL filter if they appear again.
- Random Text: The spammers added a bunch of text and placed it in the gray background of the email, so you don't notice it. Having a lot of text after an image is a signal to a heuristic filter that the email could be legitimate. The text is a bit darker then the background so it's not the same color (another spam flag), but not enough that you notice it right away. This is another technique that doesn't get past us, and we updated our spam database accordingly.
Here is what the links and text after the image look like:
How Do We Block Spam So Well?
Unlike many antispam providers, we have a team of live threat analysts in our U.S. headquarters who update our database every two minutes, 24/7/365, to keep up with new threats. They can identify spam like this campaign very quickly and block it. Instead of relying solely on blocking "click-me" links or Bayesian Heuristics, we have additional filters to ensure that sophisticated spam campaigns like this are blocked.
That includes what we call "phrase" filters, which block based on complete phrases that we know would never occur in legitimate email. We even created our own pattern-matching language to block spam. For example, we almost never block based on individual words, like "Cialis", that can occur in legitimate email (for example, to your doctor).
For More Info
SpamStopsHere works differently from other anti-spam programs. It blocks 99.5% of spam while delivering over 99.999% of legitimate emails. That means we block fewer that 1 out of 100,000 good emails, which is why businesses and professionals love our service.
Our spam review team, along with our proprietary Spamalyzer 3.0, analyzes and blocks email threats for our customers 24/7/365. That's a claim almost no other antispam provider can make.
The mark "Cialis" is the property of its owner. This article is for informational purposes. No endorsement by third parties is implied and none should be inferred.