About Me

Chris Barton

Chris Barton
Having been with "big red" since the Dr Solomons acquisition Chris has seen many come and go but is never content to be ...

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

games-pro spam, Yahoo and Google "Feeling Lucky"

Tuesday, December 11, 2007 at 8:26am by Chris Barton
Chris Barton

Spammers have been abusing free hosting for a long time. Yahoos’ Geocities was pretty heavily targeted in its day and more recently Googles’ Googlepages and blogspot are the abused services of choice. The general idea being spammers can get 1-20+ thousand accounts a day with unique urls and point them at a handful of spammed domains that they had to pay for.[1] It’s improbable that any external party can compile a complete list of the abused accounts, report them to the host and the host engage somebody cluefull 24/7 to take-down the sites in any reasonable time period to make the spammers campaign ineffective.[2]

I know, I’ve tried!

Those of you that read this blog a year and a quarter ago will remember that the metric truckload of accounts are often provided as a paid service to spammers if they are not able to perform the required tasks in house.

- Spammers have also been abusing the free blog services for a long time. (and setting up their own fakes)

- Spammers have also been abusing the free tiny url services for a long time. (and setting up their own fakes)

There is a common theme here! Free services that allow or facilitate blind redirection. It’s all about getting emails through and links in front of victims and as a rule of thumb, the more popular the service you abuse the less likely it is to blocked by the blacklists. Surbl have an open letter to redirection services, if you want some more education on the subject from the blacklist prospective. [3]

It’s no surprise that the next popular service to be abused is the search engines. To be clear, I’m not talking about Spamdexing (manipulating text for high search index rankings) or SEO dirty tricks, but (ab)using a search provider as a redirector by using the more advanced search options combined with “Feeling lucky” features that take you to the top search result.

I’ll dissect this mornings sample for you noting one additional point:
- Spammers have also been abusing the free webmail services for a long time.

A quantity of Yahoo webmail spam kindly deposited its self in one of our many millions of spamtraps, DKIM signed, SPF passed Etc, Etc. Inside it was a link to a “feeling lucky” link c/o rival search giant Google.

Abused Search Host: http://www.google.com/
Search Function: search?q=
Search Feature Text in the URL: inurl:games-pro
Search Feature Text int he page: intext: won1 million megabet from casino online [4]
Search Invisible Redirect Feature: btnI=Lucky

If you put this lot back together you’ll get an invisible redirect (302) to casino-games-pro that’ll try and auto-install the CasOnline PUP. Charming.
I’d like to point out here that if you try to send a spammy link out via yahoo webmail they captcha test the sender. (but they also did that when the accounts were setup, right?) The trick here is the fact that there is nothing spammy about a search link. I have no doubt that /btnl=Lucky/ will be hitting the filters at Yahoos webmail HQ very shortly if it hasn’t already.

The “Feeling Lucky” spam technique is not particularly new, but this webmail twist does show the relentless diversity of spammers abuse of free services provided by the big players alongside their abuse of the smaller fish that Kevin blogged about the other day. As he pointed out, the spammers are using the phishers techniques, how long before we see “btnI=Lucky” in phish.

All of these methods are popular because it’s not really possible for RBLs’ or URIBLs’ to block them without collateral damage to innocent sites making it more likely that spammers links will get through to the inbox. Though when the abuse is more than background noise things do happen.[5]

[1] Lets assume for ease they actually do pay, in reality it’s stolen card & credentials sample from some carder IRC channel.
[2] Testing a random Googlepages link spam from last month shows that everything is still working.
[3]For the record many shorter-link services took notice rapidly!
[4] Yes I linked ” won1 million megabet from casino online “ – so what? I really do hope this blog helps.
[5] Tale a look at SBL60999.

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (4)

  • Chris Barton December 17, 2007 7:59AM

    @James: good point.

    @e/c: Oh dear, how ever could that have happened, how embarrassing ;)

    @PaulJ: I’d hope it gets delivered.

    Reply
  • PaulJ December 13, 2007 2:18PM

    Lame as it seems, eeNews newsletter has been embedding a googlepages.com link in their recent emails. The googlepages typically redirect to some affiliate-style advertiser.

    Guess what we do with their email….. :-)

    Reply
  • elc December 11, 2007 2:55PM

    Very nicely done! I was checking out URLs from spamtraps to throw into the URIBL. This is now the Lucky button destination instead of the casino page :)

    Reply
  • James December 11, 2007 1:41PM

    Google are an advert giant not a search giant.

    Looks like that casino site is now offline! Nice one.

    Reply