funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New spammer tricks

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 14 Mar 2008 11:40:38 +1300
rms () computerbytesman com wrote:


I haven't seen this trick used before.   ...


You must not get, or at least look at much of your, spam...


...  Some spammer is using Google to
redirect to their own Web site.  ...


Ancient.

Been around for a long time, plus several variations including adwords, 
DoubleClick (now owned by Google) and such.  Perhaps my favourite such 
trick is the "Google search URL with 'I'm feeling lucky' option" -- 
after ensuring that a search for some reasonably unique phrase on the 
target page, or just the domain name itself, has the target page as the 
first search result, spam out the search URL with Google's "I'm feeling 
lucky" option (the "btnI" URL parameter) which tells Google to redirect 
to the top search hit rather than display the search results list.

I reported this to John Graham-Cumming in July last year as a potential 
TSC entry, but he didn't add it to TSC until September:

  http://www.jgc.org/tsc.html

(look for the "Are you feeling lucky, Sergey?" entry).  Although I was 
fairly sure I'd heard of this being used earlier, a quick search at the 
time did not turn up earlier examples of spammers using it.

The fun thing about this one is that a high-profile site can easily 
subvert it, resulting in an effective, remote and fully hands-off "take-
down", as Bojan Zdrnja noted in an update to his ISC Diary blog entry 
about the phenomenon:

   http://isc.sans.org/diary.html?date=2007-09-21


...  Lots of Web sites offer redirector URLs
which can be used by the spammers.  Tinyurl and similar services would be
another obvious choice.


In my experience, tinyurl.com is pretty responsive to abuse reports, 
whereas Google, DoubleClick, etc are not.  Google did fix the then well-
known and heavily-used "url?q=<target_url>" redirector, but most of 
their other open redirectors are directlty tied to their revenue 
generation business and re-writing their whole infrastructure to fix 
that is either taking longer or has been deemed not worth the effort, 
so the spammers have moved to using all those other open redirectors.


I'm also starting to get spam messages that place HTML Web pages in attached
Zip files to avoid spam filters.  So far, none of the Web pages appear to be
malicious.


Yeah -- this seemed to start about a week to ten days ago and aside 
from avoiding message content spam filters, I'm not sure it buys the 
spammers a lot.  Is there a common MUA out there that makes viewing the 
HTML content of these attachments really, really easy?  I have seen 
password-protected ZIP attachment spam with directions in the message 
body that the attachment contains links to porn and that you should 
unly "unlock" the attachment with the provided password and read its 
contents if you are of a legal age to view porn where you live and only 
if viewing porn is not otherwise illegal.  The difference was that the 
message made it fairly clear what you would, ahem, "gain" from opening 
the attachment.  This latest batch of non-encrypted ZIP attachment spam 
doesn't seem, to me, to have quite such a clear message, with very 
minimalist spams typically, in the ones I've seen, like:

   Subject: Don't get left behind, get it

            Feel and smell more sexy to women

            Details attached


   Subject: Master in bed games

            Take her to seven heaven

            Details attached

So I'm not sure that there is that much of a hook to the spammers' 
potential customers...


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: