Increase in usage of URL shorteners in spam campaigns


MX Lab, http://www.mxlab.eu, is noticing an increase in the usage of URL shorteners like bit.ly and others. This technique is being used to avoid detecting of the URL by intent analysing techniques.

Some examples of the latest spam campaign for replica watches:

Vervollständigen Sie Ihre Garderobe mit Markennamen Luxus-Accessoires

http://durl.me/4krma

Kommen Sie in unser One-Stop-Shopping-Erlebnis wunderbar, nur einen Klick entfernt.

http://durl.me/4kohn

Obtenez le Tag Heuer SLR Mercedes regarder ici

http://durl.me/4iii7

Obtenez tous vos besoins de luxe sous un même toit, et à 60% de réduction!

http://durl.me/4kpjy

Email not displaying correctly? View in your browser.
Great prices on all watch brands http://redir.ec/39qj

Our web-store of Watch-lones welcomes you!
We have copies of famous chronometer brands for more than affordable prices!
Respect and style will be easier to get!

If you wish to unsubscribe from our mailing list, click here

Assurez-il se passer maintenant avec les prix réelle et exacte des produits de luxe à la recherche.

http://durl.me/4kon6

The URLs in this spam campaign lead to the web site Ultimate Replica

We have seen the usage of URL shorteners emerge at the end of 2010 so it seems that this technique is becoming more popular among spammers. Each spam message has a different shortened URL,  sometimes even processed by different URL shortening services.

While in the first campaigns we noticed some popular URL shorteners like bit.ly being used, the trend is now that other less known URL shortening services are being used. In some cases, the URL shorteners also do not even have a way to report abuses through their web site and I think that the spammers are aware of this.

In the past, we have submitted some shortened URLs to the abuse department of bit.ly for example and we could notice that the URLs where disabled quite fast.

Most of the URL shorteners also have an API available. The API makes it even more easier to integrate an URL shortener service into a botnet or spam campaign. For example, the URL shortener wa.la has a very simple PHP API:

$shortenedurl = file_get_contents(‘http://wa.la/shorten.php?longurl=’ . urlencode(‘http://theurl.to.shorten.com/’));

With a single line, the URL is shortened and usable in a spam campaign. In this case, no account has to be created so the creation of the URL is also anonymous.

Some URL shorteners also have the ability to gather some statistics about the usage of the shortened URL. Spammers can measure certain aspects of the spam campaign they manage.

In  the past, MX Lab warned about URL shorteners and the possible threats you may encounter with them. One major disadvantage is that you are no longer to see the full URL before you click on it with certain URL shortening services. The URL shorteners that spammers use do not have a preview mode like for example bit.ly. So, the recipient will only see the full URL when following the shortened URL.

At this time it is a spam campaign for replica watches, one day it can be a malicious payload, designed to infect your computer.

MX Lab was already pro-actively scanning emails for shortened URLs since a few weeks when we noticed the first campaigns with shortened URLs. When a shortened URL is detected we take this into account when we determine wether the message is spam or not.

6 thoughts on “Increase in usage of URL shorteners in spam campaigns

  1. Bit.ly actually does have a preview mode, it’s just not very well documented or well known. Adding a plus sign to the shortened url will present you with a preview page, for example, http://bit.ly/hWqFoX+ (just a link back to this page) – but obviously, spammers are not going to include preview-enabled shortened urls in their campaigns.

    (Sorry if this posted twice – wordpress.com was acting up.)

  2. We are starting to see the same spam campaigns using twitter’s t.co url shortening service. The urls link to sites where you can buy medications, penny stock, etc.

  3. Most URL shorteners now include a link preview facility by adding a ‘~’ or ‘+’ sign at the end of the short URL. A couple of the better ones, such as yi.tl , automatically check links for malware and phishing using Google’s safe browsing database and provide an abuse reporting facility that will remove spam links immediately. I don’t see what else they can do.

  4. Your current article has verified helpful to me.
    It’s really informative and you’re simply clearly very experienced of this type. You have got exposed my own eyes for you to varying thoughts about this kind of subject matter with intriguing and reliable content material.

Comments are closed.