Symantec uncovered a spam gang that launched its own URL-shortening Websites to generate links to pharmaceutical spam sites instead of relying on popular services.
Spammers have found a way to
circumvent security measures at URL-shortening Websites that detect and remove
malicious links. They are creating their own services on the .info domain,
Symantec researchers found.
Symantec has identified more
than 80 sites set up by spammers to shorten Website addresses, according to its
latest "Intelligence Report" released Oct. 25. The services have been
built using an open-source URL-shortening script that is publicly available.
Shortened URLs pose a
security risk since users can't tell if the link they are clicking on would
direct them to a legitimate site or a malicious one. Besides the well-known
sites such as bit.ly, many companies have launched their own URL shorteners,
making it a challenge for users to keep track of the various services.
Sites like Twitter, which
impose a character limit on what users post, have made these services popular,
making it even more likely that users will click on a link without stopping to
thinking about its potential destination. Most services would disable a link
once notified that it was malicious, and Twitter has introduced its own
shortening service, which checks the actual Website to see if it is potentially
dangerous or included on various blacklists before generating a link.
"It is possible that spammers
are setting up their own URL-shortening sites since legitimate URL-shortening
sites, [which] have long suffered with abuse, have slightly improved their
detection of spam and other malicious URLs," Symantec researchers wrote in the
October "Intelligence Report."
All the Websites identified
by Symantec so far appear to be hosted on several different IP addresses owned
by a United Kingdom-based subsidiary of a large hosting company, which Symantec
declined to name. All the domain names followed a similar naming pattern and
were registered with contact information in Russia.
At the moment, the shortened
links from these services appear to be included only in pharmaceutical spam.
The subject lines vary, or may even be blank, but the message body generally
always contained a shortened link generated by the spammer's service. The link
would then direct users to a pharmaceutical spam site, according to Symantec.
This new tactic is most
likely in response to vast improvements in spam detection by popular URL-shortening
sites. This was "yet another example" of cyber-criminals adopting new
technology to bypass traditional security measures, Bradley Anstis,
vice-president of technical strategy at M86, told eWEEK.
Spammers have switched to
putting in shortened links, either generated by malicious or legitimate
services, in spam messages to bypass anti-spam filters, which may have
difficulty detecting which of the links are actually dangerous, according to
"A lot of the traditional
anti-spam engines were developed before Twitter, so they are not geared up to
recognize embedded URLs as seen in blended email threats in spam, let alone
shortened URLs that link to malicious, or compromised Web pages," Anstis
Despite these new tactics,
spam levels have been declining. Symantec reported in its monthly report that
the global ratio of spam in email traffic was 74 percent, or one in 1.35
messages, a 0.6 percent dip since September. Nearly one in 236 emails contained
malware, a 0.11 percent decline since last month, but phishing attempts were
slightly up (about 0.07 percent), to one in 343 emails.