Wednesday, July 15, 2009

Spammers Abusing URL Shortening Services

We've previously warned about the dangers of following "Tiny URLs" on Twitter. With only 140 characters to use in your message, many Twitterers use URL shortening services to save their precious characters. Unfortunately, for most people you have no idea where that click is going to take you until you click on it and get forwarded by the URL shortening service. Its a bit like playing Russian roulette. Click the shortened URLs, and you may get informative news stories, insightful blog articles, pornography, or a new virus!

At the UAB Spam Data Mine we've seen a few of these Tiny URLs used in spam, but now we have our first major campaign that is exploiting them in a highly organized way.

Bingo Palms has a current spam campaign underway which involves a large number of these URL shorteners, including:

So far we've seen almost a thousand of these spam messages, and have encountered 453 unique URLs at this point. Here are the subjects that are being used in this spam campaign:

Subject: $10 free deposit
Subject: $5000 Jackpot waiting for you!
Subject: 200% bonus on every deposit
Subject: 75 and 90 Ball Bingo
Subject: Become A Bingo Hustler
Subject: Become A Winner Today
Subject: Become A Winner With Bingo
Subject: b-i-n-g-o for you!
Subject: Bingo has never been easier.
Subject: Bing-o Was Her Name-o
Subject: Do you like to play bingo online?
Subject: Enjoy Bingo Online
Subject: Ever wanted to play Bingo for Cash ?
Subject: Gamble online? Read me!
Subject: Gamble With Bingo
Subject: Gamble? Like to play online?
Subject: Hot 9-Real SLot Machines! $25,000 Jackpot
Subject: Hustle Online. Play Bingo.
Subject: Like Bingo? Win $
Subject: Nickel, Dime, Quarter, & High Roller Games!
Subject: Nightly Events for CASH Prizes
Subject: Online diplomas here.
Subject: Play Bing0 Online
Subject: Play Bingo Now
Subject: Play Bingo Today
Subject: play online
Subject: Play Online Now
Subject: Play Online, Win Today
Subject: Someone has invited you to a game of Bingo
Subject: Something For You. Play Online.
Subject: Vehicle Warranty - 60% off
Subject: Want to play bingo online and win CASH ?
Subject: Win With Bingo
Subject: You have been invited to a Bingo game!

We see this campaign as a dangerous precedence which could be followed by other spammers to make our efforts to block their spam more difficult. As one would expect, the spammer, in addition to cheating the affiliate program, and offering "probably illegal" gambling to his email recipients, is delivering his spam message through a world-wide botnet of compromised computers. Just in our spam samples, we have spam for this campaign sent from 698 different computers in 43 different countries around the world.

Afrinic countries of CI, MA, SD, ZA
APNIC countries of BD, HK, ID, IN, JP, KR, PK, TH, TW, VN
ARIN countries of US (only 6 machines)
LACNIC countries of AR, BR, CL, CO, MX, SV, VE
RIPENCC countries of AM, AZ, BY, DE, EU, GR, HR, HU, IL, IQ, IR, IT, KZ, MD, PL, PT, RO, RS, RU, UA, UZ

Despite a broad smattering of countries, 43% of our spam came from Brazil, 20% from Russia, 13% from the Ukraine, 7% from India, and 2% from Italy. No other country represented more than 1% of the spam we received in this campaign.

Here are the URLs that we have seen so far in this campaign:

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.