Web site creator hosts are being abused in spam campaigns

Spammers are not afraid to abuse community sites or blog creators like blogspot.com in their spam campaigns. In some cases, the content is published on these site or a redirect is embedded and forwards the visitor to the web site of their choice offering porn, pills and other stuff.

MX Lab noticed an increase the last few days of URLs in spam messages that point to (free) web site creater hosts or less well know blog creators. Some of the latest victims are doodlekit.com, sitekreator.com, webs.com, webstarts.com and blogdrive.com.

Some examples of the spam:

of necromancer beyond power drill ostensibly wily
dissidents customer
PornstarMikaTanAnalFingering hxxp://trhombic.blogdrive.com
because girls

dissidents blotched greedily

mirror about starlet likeable
WorldOfLustyAmatteurGalsFujckkingOnCameraWithBigCodfckedLadsAndBelovedSelxToys hxxp://sitekreator.com/Dewtty/sdfgty.html

haunchestoward

for cleavage inside carelessly womanly
bubble baths scythe
AsianSuckingAndFuckingHardcore hxxp://wilfredorz.webs.com
or tea parties

over and accidentally

tea parties flabby
WorldOfLustyAmatenurGalsFujckkingOnCameraWithBigCobckedLadsAndBelovedSjexToys hxxp://s2.webstarts.com/ssey/q2.html

philosopherssecretly

What we also notice is the use of random words in the spam message again. This is a very common technique being used in the past to avoid detected by Bayesian filters and/or to compromise and corrupt the knowledge database of the Bayesian filter when the message is used to train the filter.

This technique is also present in the latest spam campaign of the Canadian Pharmacy:

This is a link to our shop http://bc.greatsilent.ru/

gazoive dyojefip eicyla uxamo kajoubemi zitykiboto yejy
irewyumuco izaafoe samin uypoi nyqii asydado
hoxyaogeqa eokinap asiwy yziuboaxoj alomem kawuqyxy
ajitikumoa fiaxe oqoce qiahow yvenouwa bosyebuje ucotaley
yeqa uhybyo nidodyziru logu noboma uuju uedywaby
…. (cut)….

New web site creator hosts are being used each day. When I visited a few of those web site creator host I found out that subscription is so easy to do. You can automate account requests quite easily up to a certain point without being blocked by some way of security measure or by clicking on an activation link by email.

On doodlekit.com we found a CAPTCHA security on the subscription web form but I believe that a good CAPTCHA should have letters that are less readable than this one. But, this is a start.

On webs.com I did set up a dummy web site account with the site address http://tryviagra.webs.com without any security measure! This means that anyone can set up an free web site creator account when completing the webforms.

In this particular case, I can even automate every step and let a bot do all the work for you. I could create from 10 to 100 accounts on a day and perhaps the site administrators wouldn’t even notice this. It is a very efficient way of getting coverage on the internet, getting free hosting for my site or redirect visitors to my site.

To make it worse, I can also place malware on this site and try to infect each visitor on my site with malware, ransomware or other malicious files.

As a spammer, I have the advantage over Intent Anyalisis tools or SURBL, tools that examine and block messages based on the included URLs, by generating mutliple URLs each day and changing URLs in the spam message.

Again, it shows that internet security is a responsability of everyone and everyone should get involved. If we want to stop spammers, we also have to make sure that some of the features that spammers have today – this is a nice example I think – can’t be used tomorrow.

Feel free to comment on this post.

Disclaimer: it is not our intention to attack webs.com on their lack of security – perhaps in a certain way it is – but to point out how easy it is to abuse certain online tools.