Sponsored by..

Friday 21 November 2014

StockTips.com spam.. or Joe Job?

When I saw this StockTips.com spam, I assumed that it was a pump-and-dump scam.

From:     StockTips.com
Date:     21 November 2014 07:58
Subject:     Sign up now


Want to make money with stocks?
Sign up at http://www.stocktips.com/ for a small monthly fee only.

© 2001-2012 StockTips.com. All Rights Reserved.

StockTips.com is operated by Amerada Corp

Here is another version of the body text:


Stock Tips Delivered to your Inbox!
Stock Tips is the #1 stock alert service... As always membership is 100% FREE!

© 2001-2012 StockTips.com. All Rights Reserved.

StockTips.com is operated by Amerada Corp

The spam was sent to an account that often receives pump-and-dump spam, and it has never signed up for anything like this. The most likely source for the email address in question is from the virus-infected computer of a contact.

So what is this? A virus? There's nothing malicious about this email. A Joe Job? Well, I've had a LOT of these, and even the most stupid email marketer tend not spam the same recipients over and over again. So perhaps it is a Joe Job.

IP address analysis

The IP addresses used to send the spam seem to be a mix of compromised PCs and servers, possibly forming part of a botnet. Legitimate companies don't use this kind of technique (obviously), but even real companies that do send spam tend to find a proper web host somewhere. This is another indicate that it might be a Joe Job. Unitymedia, Germany Project Honeypot shows that it has only been used for spam quite recently.  It looks to be a server rented from a legitimate company, although obviously for illegitimate purposes. Possibly the server has been compromised. Gamma Telecom, UK Project Honeypot shows just how spammy this IP is. And it has been used for stock spam in the past as well, which indicates this is not a one-off. It looks like this may be a compromised server. Telefonica de Espana SAU, Spain Resolves as 21.Red-80-38-8.staticIP.rima-tde.net, so a static IP rather than a DSL connection. Project Honeypot says that it used to be used for spam some time ago but has been clean for a long time. Vectra S.A., Poland Description is "Vectra Broadband Users" which indicates a DSL or cable connection. Project Honeypot has no data. Feliz Acesse Comunicacao Ltda, Brazil No data on this, could be a domestic IP address. Bezeq International Ltd, Israel Appears to be a domestic broadband user. TurkTelekom, Turkey ADSL subscriber Arcor AG, Germany Arcor / Vodafone DE business customer.

What about StockTips.com itself?

StockTips.com is a snazzy looking site..

But there is not one single piece of information that identifies who runs it, except for a reference to Amerada Corp which is also mentioned in the spam email. The WHOIS details for the domain are also hidden, so it is impossible to determine who actually owns the site.

A search for "Amerada Corp" comes up with nothing except that it is a former name of Hess Corporation who are clearly nothing to do with this.

Scrolling down the page gives a clue as to what this might be about..

A $37 signup fee? No thanks.. but it says it is a one time fee but the spam says a monthly fee. That's inconsistent. Another indicator of a Joe Job? Perhaps.

Something else caught me eye.

HAIR was the subject of a massive pump-and-dump spam run last year. After StockTips.com recommended HAIR in May of 2012, the share price basically fell off a cliff.


A bit of Googling around shows a lot of negative comment about StockTips.com. There are some accusations that I have not been able to verify that they are involved in paid stock promotions for the penny stocks that they list.

The Penny Stock market has a lot of legitimate players, but there are also a lot of people who try to manipulate the market for their own gains. It is possible that StockTips.com has clashed in some way with the sort of people who run pump-and-dump scams, and they have decided to take their revenge by creating this fake spam run.

Perhaps if you have some experience with this outfit, you would like to share it in the comments? Note that all comments are owned by the people posting them.

1 comment:

Jan said...

Looks like Amerada Corp. is registered in the Marshall Islands