April 25, 2010

Spammers also "Recycle"


Imagine how much trash or rubbish is being recycled on a daily basis in real life. The same thing is happening on the Internet.  Spammers create new Web sites, then they use all sorts of techniques to deliver those sites to end users. However, in most cases there is a Web/email filtering service like that offered by Websense,  which will analyze and block such sites. At some point such URLs would be blocked by all known companies providing filtering services, and the URLs would become useless for cybercriminals.  The whole process starts again from the beginning: the spammer creates a new page, advertises it and finally it's blocked by a Web/email filtering company! Unfortunately spammers have started to come up with new solutions, something we're calling "Recycled" Spam URLs.

"Recycled" Spam URLs could be created from major services, such as caching or translation, provided by major search engines. Recently in Websense Labs we've seen several spam emails with "Recycled" spam links. Some of those emails contain just a link.


Others look like legitimate newsletters. Unfortunately ImageShack removed the picture.


If they follow the link, the user is redirected to a cached version of the site which either had another redirect, or was compromised and had a malicious iframe or code embedded into a source.


As shown in this example pages could stay cached for about 2 months or even longer.

And finally the landing page - it's just another Pharma spam!

Pharma spam

To make it even more difficult for Web/email filtering engines to detect such links,  cybercriminals also are trying to obfuscate links with URL encoding, and in most cases criminals use infrequently-seen Google top level domains belonging to countries such as Anguilla, Gibraltar, American Samoa or the Seychelles. 


hxxp://google.com.ai/search?q=cache:www. [removed] %63%65%6E%74%65%72%2D%6D%73%6B%2E%63%6F%6D#online
hxxp://www.google.com.gi/search?q=cache:%6C [removed] %6E%74%65%72%2D%6D%73%6B%2E%63%6F%6D#Zubkepzb2j.html
hxxp://www.google.sc/search?q=cache:%6C%61%77 [removed] %6E%74%65%72%2D%6D%73%6B%2E%63%6F%6D#Stoettxgr4j


This is also very similar to the BlackHat SEO. If the site has a good ranking, cybercriminals change the content for the one to be cached, then ping the crawlers (<searchengine_URL>/ping?sitemap=sitemap_url) and after a while remove the content or block the site. The cached version has exactly what they wanted and they start their campaigns. As the site does not exist anymore, search crawlers can't pick up the newer version and the cache keeps the last version of the parsed page "forever". The same technique is used for compromised sites with good rank: once the site is abused, cybercriminals wait for the site to be cached,  then they remove malicious content and use it in campaigns. The only problem the bad guys face is that high-ranking sites are being parsed with search crawlers very frequently, and the cached version which hosts bad content has a short period of live time.

Websense customers are protected, as the Live Analytics are blocking such pages in real time.

Security Researchers: Artem Gololobov, Ivan Sabo


Forcepoint-authored blog posts are based on discussions with customers and additional research by our content teams.

Read more articles by Forcepoint

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.