Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Cybercrime Gang Amasses 80+ URL Shortening Sites in Attempt to Circumvent Spam Filters

Spammers have turned to creating their own URL shortening services to better conceal links in their messages.

Researchers at Symantec recently uncovered a spam gang with at least 80 URL shortening sites, all of which used a similar naming pattern as well as the .info top-level domain. According to the company, the spammers are using free, open source URL shortening scripts to operate these sites. After creating shortened URLs with their own service, the spammers then blast out their messages with the URLs in tow.

Spammers have turned to creating their own URL shortening services to better conceal links in their messages.

Researchers at Symantec recently uncovered a spam gang with at least 80 URL shortening sites, all of which used a similar naming pattern as well as the .info top-level domain. According to the company, the spammers are using free, open source URL shortening scripts to operate these sites. After creating shortened URLs with their own service, the spammers then blast out their messages with the URLs in tow.

“It is possible that spammers are setting up their own URL shortening sites since legitimate URL shortening sites, who have long suffered with abuse, have slightly improved their detection of spam and other malicious URLs,” according to Symantec’s October Intelligence Report. “It’s not fully clear why the sites are public. Perhaps this is simply due to laziness on the spammers’ part, or perhaps an attempt to make the site seem more legitimate.”

In the case of the spam emails analyzed by Symantec, the messages included a mixture of blank subjects and titles like ‘It’s a long time since I saw you last!’. Inside the messages is a link to one of the spammer’s URL shortening sites, which redirects users to a pharmaceutical spam site. The domains used for the URL shortening sites all have the same contact information – with all contacts based in Moscow – and are all hosted by a UK subsidiary of a large hosting company. Symantec has notified the company.

Shortened Links in Spam“From our analysis in 2010, it appeared that each shortened URL received an average of 44.2 visits, and approximately 93.5 percent of responses were received within three days of the spam being sent,” said Paul Wood, senior intelligence analyst for Symantec. “Approximately two to three percent of all email spam now contains a shortened URL – and the use of shortened links provides more intelligence to the spammer – e.g .with bit.ly by appending a “+” to the end of the URL reveals a lot of interesting information about the success or not of that link. Shortening services have improved their approach to how they respond to abuses, in some cases removing the links more quickly, or presenting a warning page beforehand.”

According to Wood, just how much rogue URL shortening services will catch on – and whether or not they will become a specialized, for-profit business in the cyber-underworld – remains unknown.

“At the moment it’s not possible to tell what business model they have employed – it may just be an initial experiment to determine the degree of success this approach may yield, over a more traditional approach, or through using a legitimate shortening service,” Wood said.

Despite spammer’s crafty tactics, spam levels have actually declined recently. In its October 2011 Intelligence Report, Symantec reported that the global ratio of spam in email traffic declined slightly to 74.2 percent (1 in 1.35 emails), a decrease of 0.6 percentage points when compared with September 2011. Phishing was also down slightly in October, at a rate of one in 343.1 emails containing some type of phishing attack in October.

Written By

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.