Stealing Profits from Stock Market Spammers

How I learned to Stop Worrying and Love the Spam

DEFCON 17 ( 2009 )Grant Jordan, Massachusetts Institute of Technology, MAKyle Vogt, Massachusetts Institute of Technology, MA

Agenda

2

About this research…AssumptionSome essentialsWhat we did?Conclusion

About this research…

3

It’s all from researchers’ pointDiffer from any other research that based on

spam text analysisHow they come up with this?

About this research… (cont.)

4

It’s all from researchers’ pointDiffer from any other research that based on

spam text analysisHow they come up with this?

Fig. 1: The epochal stock spam

Assumption

5

Assumption (cont.)

6

Lots of guesses

Assumption (cont.)

7

Lots of guessesLots of hypotheses

Assumption (cont.)

8

Lots of guessesLots of hypothesesBut of course, some economic theory

Some essentials

9

Fig. 2: The supply and demand curve

Some essentials (cont.)

10

But everyone get the spam

What is this spam trying to do?• Send spam• ???• Get profits

Fig. 2: The supply and demand curve

Some essentials (cont.)

11

Fig. 3: How spammer get profits step 1

Some essentials (cont.)

12

Fig. 4: How spammer get profits step 2

Some essentials (cont.)

13

Fig. 5: How spammer get profits step 3

Some essentials (cont.)

14

Fig. 6: How spammer get profits step 4

Some essentials (cont.)

15

Fig. 7: How spammer get profits step 5

Some essentials (cont.)

16

Fig. 8: How spammer get profits step 6

Some essentials (cont.)

17

Fig. 9: How spammer get profits step 7

Some essentials (cont.)

18

What kind of stocks are these?• Penny stocks• Over The Counter (OTC)▪ Not traded on a major exchange ▪ Thinly Traded: Near zero volume most days▪ High Volatility: Since price is so low (often $1/share),

even small changes in price can produce huge % change

Some essentials (cont.)

19

However, who is dumb enough to trust those spam?

Some essentials (cont.)

20

However, who is dumb enough to trust those spam?• There are many idiots indeed…

Fig. 10: Evidence of such spam work 1 Fig. 11: Evidence of such spam work 2

What we did?

21

Numerous researchers claimed that by Fall 2006, stock spam was dead

But they are wrong!

What we did? (cont.)

22

Numerous researchers claimed that by Fall 2006, stock spam was dead

But they are wrong!• Because all previous works are based on text-

analysis• About 2006, almost 100% of stock spam are

graphsSo? How could we analyze those graphs?

What we did? (cont.)

23

Fig. 12: It's easy to sort them by hands

What we did? (cont.)

24

When you’re looking at every email with your own eyes, it’s easy…

Our data• 14 weeks• More than 50,000 spam emails• 12,168 stock spam

Information extracted from them• Previous results• Relative botnet power• Identify spammer’s unique signature

What we did? (cont.)

25

Fig. 14: Spam size of SRRLFig. 13: Stock spam of SRRL

What we did? (cont.)

26

Fig. 16: Spam size of MRPGFig. 15: Stock spam of MRPG

What we did? (cont.)

27

Jordan-Vogt method• Sort week’s worth of spam by ticker symbol• Identify spammer by email style• Compare each spammer’s past results• Identify top spammer• When first email from top spammer arrives… buy

the stock• Sell out

To sum up, choose the successful spammer; when the best spammer sends out his first email about a stock, we know to buy

What we did? (cont.)

28

Fig. 17: Buy it when got first spam from the best spammer

Conclusion

29

Did it work?• Yes

Method worked for a few weeks

Conclusion (cont.)

30

Did it work?• Yes, and No!

Method worked for a few weeks, but…• The best spammer had a bad week (lost ~$2M)

then disappeared• Major botnet takedowns (?)• Major SEC crackdown (“Operation Spamalot”)▪ Suspended trading on 35 stocks▪ Indicted two men in Texas for securities fraud. Eventual

$3.8M settlement▪ Because an SEC attorney was getting the spam

Conclusion (cont.)

31

Could it work again?• Maybe• Spam goes in cycles… botnet come and go…

Fig. 18: Recent spam in April 2009