Dope growing stock gets high on Waladec botnet

Pump and dump spam from the notorious Waladec botnet may have netted fraudsters tens of thousands of dollars by triggering a brief spike in the stock price of a US marijuana cultivation firm.

Security firm Symantec has plotted out evidence that links unusual trading activity in Indi Growers Association’s stock in November to a burst of pump and dump spam from Waladec that month.

Waladec, also known as Kelihos, has been around for several years and has been the subject of numerous attempted takedowns, the last of which occurred in 2012.

As Symantec notes, the botnet has been used to collect credentials from compromised computers and perform denial of service attacks, but it’s mostly known for using infected computers to distribute spam.

Indi Growers Association is based in Washington, where medical and recreational marijuana use is legal. The company says on its website that it aims to lease large-scale greenhouses to growers of medical-grade marijuana.

However, more interesting than the firm’s industry is its stock (UPOT), which was trading at $0.59 in January but had settled at US$0.05 by October 8, where it remained until November 1.

Symantec speculates the pump and dump perpetrators chose the stock for its historically volatile price. Spam runs promoting UPOT began on November 7 and lasted 11 days to November 18, according to Symantec, during which time UPOT peaked at $0.16.

While it can’t be proven that the pump and dump spam caused the spike, the botnet is capable of distributing a lot of spam to potential investors. Symantec said it observed a single bot sending over 30,000 spam in a month. Historically, Waladec has had between 40,000 to 100,000 bots at disposal.

There’s also a correlation between Waladec’s UPOT spam and UPOT’s price, but more tellingly a flurry of trading as the price began to climb. Two days after Waladec’s ‘buy UPOT’ spam began, the stock jumped to $0.08 and on November 9 reported “unusual trading” in the stock.

“UPOT, Indie Growers Association, displayed unusual trading activity shuffling nearly 300,000 shares in today’s session up nearly 100% intra-day slapping .12 cents, up from its prior close of just around .06 cents,” the trading site reported.

It’s probably no coincidence that on November 18 — the day Waladec’s UPOT spam ended — UPOT’s price peaked at $0.16 when the fraudsters would likely have begun dumping the stock. UPOT was trading at below $0.05 by January 1, 2016.

“While it’s difficult to put a figure on the profit that the perpetrator of this pump and dump scam may have made, given the volume of shares traded around this time we would estimate it to be potentially in the tens of thousands of dollars,” Symantec’s security response team noted.

Read more: Google distrusts “widely trusted” Symantec root certificate

Participate in CSO and Gigamon's survey on Security Priorities today!

Go into the draw for a chance to win an Apple iWatch Sports or the equivalent of $500 Visa Cashcard.

For full terms and conditions click here.

Start survey NOW!

Read more: Australians overconfident on security prowess despite surging toll of breaches

Join the CSO newsletter!

Error: Please check your email address.

Tags washingtonsymantec​Waladec botnetIndi Growers Associationmarijuana cultivationKelihos

More about AppleCSOGigamonSymantecVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place