Spammers Using Own URL-Shortening Services for Pharmacy Spam

Symantec uncovered a spam gang that launched its own URL-shortening Websites to generate links to pharmaceutical spam sites instead of relying on popular services.

Spammers have found a way to circumvent security measures at URL-shortening Websites that detect and remove malicious links. They are creating their own services on the .info domain, Symantec researchers found.

Symantec has identified more than 80 sites set up by spammers to shorten Website addresses, according to its latest "Intelligence Report" released Oct. 25. The services have been built using an open-source URL-shortening script that is publicly available.

Shortened URLs pose a security risk since users can't tell if the link they are clicking on would direct them to a legitimate site or a malicious one. Besides the well-known sites such as, many companies have launched their own URL shorteners, making it a challenge for users to keep track of the various services.

Sites like Twitter, which impose a character limit on what users post, have made these services popular, making it even more likely that users will click on a link without stopping to thinking about its potential destination. Most services would disable a link once notified that it was malicious, and Twitter has introduced its own shortening service, which checks the actual Website to see if it is potentially dangerous or included on various blacklists before generating a link.

"It is possible that spammers are setting up their own URL-shortening sites since legitimate URL-shortening sites, [which] have long suffered with abuse, have slightly improved their detection of spam and other malicious URLs," Symantec researchers wrote in the October "Intelligence Report."

All the Websites identified by Symantec so far appear to be hosted on several different IP addresses owned by a United Kingdom-based subsidiary of a large hosting company, which Symantec declined to name. All the domain names followed a similar naming pattern and were registered with contact information in Russia.

At the moment, the shortened links from these services appear to be included only in pharmaceutical spam. The subject lines vary, or may even be blank, but the message body generally always contained a shortened link generated by the spammer's service. The link would then direct users to a pharmaceutical spam site, according to Symantec.

This new tactic is most likely in response to vast improvements in spam detection by popular URL-shortening sites. This was "yet another example" of cyber-criminals adopting new technology to bypass traditional security measures, Bradley Anstis, vice-president of technical strategy at M86, told eWEEK.

Spammers have switched to putting in shortened links, either generated by malicious or legitimate services, in spam messages to bypass anti-spam filters, which may have difficulty detecting which of the links are actually dangerous, according to Anstis.

"A lot of the traditional anti-spam engines were developed before Twitter, so they are not geared up to recognize embedded URLs as seen in blended email threats in spam, let alone shortened URLs that link to malicious, or compromised Web pages," Anstis said.

Despite these new tactics, spam levels have been declining. Symantec reported in its monthly report that the global ratio of spam in email traffic was 74 percent, or one in 1.35 messages, a 0.6 percent dip since September. Nearly one in 236 emails contained malware, a 0.11 percent decline since last month, but phishing attempts were slightly up (about 0.07 percent), to one in 343 emails.