Cybercrime Gang Amasses 80+ URL Shortening Sites in Attempt to Circumvent Spam Filters

Spammers have turned to creating their own URL shortening services to better conceal links in their messages.

Researchers at Symantec recently uncovered a spam gang with at least 80 URL shortening sites, all of which used a similar naming pattern as well as the .info top-level domain. According to the company, the spammers are using free, open source URL shortening scripts to operate these sites. After creating shortened URLs with their own service, the spammers then blast out their messages with the URLs in tow.

“It is possible that spammers are setting up their own URL shortening sites since legitimate URL shortening sites, who have long suffered with abuse, have slightly improved their detection of spam and other malicious URLs,” according to Symantec’s October Intelligence Report. “It’s not fully clear why the sites are public. Perhaps this is simply due to laziness on the spammers’ part, or perhaps an attempt to make the site seem more legitimate.”

In the case of the spam emails analyzed by Symantec, the messages included a mixture of blank subjects and titles like ‘It’s a long time since I saw you last!’. Inside the messages is a link to one of the spammer’s URL shortening sites, which redirects users to a pharmaceutical spam site. The domains used for the URL shortening sites all have the same contact information – with all contacts based in Moscow – and are all hosted by a UK subsidiary of a large hosting company. Symantec has notified the company.

“From our analysis in 2010, it appeared that each shortened URL received an average of 44.2 visits, and approximately 93.5 percent of responses were received within three days of the spam being sent,” said Paul Wood, senior intelligence analyst for Symantec. “Approximately two to three percent of all email spam now contains a shortened URL – and the use of shortened links provides more intelligence to the spammer – e.g .with bit.ly by appending a “+” to the end of the URL reveals a lot of interesting information about the success or not of that link. Shortening services have improved their approach to how they respond to abuses, in some cases removing the links more quickly, or presenting a warning page beforehand.”

According to Wood, just how much rogue URL shortening services will catch on – and whether or not they will become a specialized, for-profit business in the cyber-underworld – remains unknown.

“At the moment it’s not possible to tell what business model they have employed – it may just be an initial experiment to determine the degree of success this approach may yield, over a more traditional approach, or through using a legitimate shortening service,” Wood said.

Despite spammer’s crafty tactics, spam levels have actually declined recently. In its October 2011 Intelligence Report, Symantec reported that the global ratio of spam in email traffic declined slightly to 74.2 percent (1 in 1.35 emails), a decrease of 0.6 percentage points when compared with September 2011. Phishing was also down slightly in October, at a rate of one in 343.1 emails containing some type of phishing attack in October.