Post on 15-Jan-2016
description
Stealing Profits from Stock Market Spammers
How I learned to Stop Worrying and Love the Spam
DEFCON 17 ( 2009 )Grant Jordan, Massachusetts Institute of Technology, MAKyle Vogt, Massachusetts Institute of Technology, MA
Agenda
2
About this research…AssumptionSome essentialsWhat we did?Conclusion
About this research…
3
It’s all from researchers’ pointDiffer from any other research that based on
spam text analysisHow they come up with this?
About this research… (cont.)
4
It’s all from researchers’ pointDiffer from any other research that based on
spam text analysisHow they come up with this?
Fig. 1: The epochal stock spam
Assumption
5
Assumption (cont.)
6
Lots of guesses
Assumption (cont.)
7
Lots of guessesLots of hypotheses
Assumption (cont.)
8
Lots of guessesLots of hypothesesBut of course, some economic theory
Some essentials
9
Fig. 2: The supply and demand curve
Some essentials (cont.)
10
But everyone get the spam
What is this spam trying to do?• Send spam• ???• Get profits
Fig. 2: The supply and demand curve
Some essentials (cont.)
11
Fig. 3: How spammer get profits step 1
Some essentials (cont.)
12
Fig. 4: How spammer get profits step 2
Some essentials (cont.)
13
Fig. 5: How spammer get profits step 3
Some essentials (cont.)
14
Fig. 6: How spammer get profits step 4
Some essentials (cont.)
15
Fig. 7: How spammer get profits step 5
Some essentials (cont.)
16
Fig. 8: How spammer get profits step 6
Some essentials (cont.)
17
Fig. 9: How spammer get profits step 7
Some essentials (cont.)
18
What kind of stocks are these?• Penny stocks• Over The Counter (OTC)▪ Not traded on a major exchange ▪ Thinly Traded: Near zero volume most days▪ High Volatility: Since price is so low (often $1/share),
even small changes in price can produce huge % change
Some essentials (cont.)
19
However, who is dumb enough to trust those spam?
Some essentials (cont.)
20
However, who is dumb enough to trust those spam?• There are many idiots indeed…
Fig. 10: Evidence of such spam work 1 Fig. 11: Evidence of such spam work 2
What we did?
21
Numerous researchers claimed that by Fall 2006, stock spam was dead
But they are wrong!
What we did? (cont.)
22
Numerous researchers claimed that by Fall 2006, stock spam was dead
But they are wrong!• Because all previous works are based on text-
analysis• About 2006, almost 100% of stock spam are
graphsSo? How could we analyze those graphs?
What we did? (cont.)
23
Fig. 12: It's easy to sort them by hands
What we did? (cont.)
24
When you’re looking at every email with your own eyes, it’s easy…
Our data• 14 weeks• More than 50,000 spam emails• 12,168 stock spam
Information extracted from them• Previous results• Relative botnet power• Identify spammer’s unique signature
What we did? (cont.)
25
Fig. 14: Spam size of SRRLFig. 13: Stock spam of SRRL
What we did? (cont.)
26
Fig. 16: Spam size of MRPGFig. 15: Stock spam of MRPG
What we did? (cont.)
27
Jordan-Vogt method• Sort week’s worth of spam by ticker symbol• Identify spammer by email style• Compare each spammer’s past results• Identify top spammer• When first email from top spammer arrives… buy
the stock• Sell out
To sum up, choose the successful spammer; when the best spammer sends out his first email about a stock, we know to buy
What we did? (cont.)
28
Fig. 17: Buy it when got first spam from the best spammer
Conclusion
29
Did it work?• Yes
Method worked for a few weeks
Conclusion (cont.)
30
Did it work?• Yes, and No!
Method worked for a few weeks, but…• The best spammer had a bad week (lost ~$2M)
then disappeared• Major botnet takedowns (?)• Major SEC crackdown (“Operation Spamalot”)▪ Suspended trading on 35 stocks▪ Indicted two men in Texas for securities fraud. Eventual
$3.8M settlement▪ Because an SEC attorney was getting the spam
Conclusion (cont.)
31
Could it work again?• Maybe• Spam goes in cycles… botnet come and go…
Fig. 18: Recent spam in April 2009