Shortened URLs, a service on many sites that turns lengthy Web addresses into shorter URLs, is rapidly becoming a popular way for spammers to reach unsuspecting readers. New analysis from Symantec's MessageLabs finds shortened URLs now account for 2 percent of all spam in inboxes (See also: Spam is More Malicious than Ever).
The presence of shortened URLs in spam has skyrocketed just in the last few weeks, according to Matt Sergeant, senior anti-spam technologist at MessageLabs.
"We've been monitoring the use of short URLs in regular email spam for the past few months and noticed that it had been used in small spam campaigns. However, in the middle of last week, we saw it increase exponentially, said Sergeant. "It went from practically nothing to 2.23 percent of total spam today (July 8th)."
The technique has picked up speed because the emails are being sent by the Donbot botnet, said Sergeant. The spike indicates that the botnet owner or operator has found a way to automate the creation of short URL links, within the botnet code or the templates that they send out, he said.
"We track this botnet fairly closely and have a fair idea of its size. It's not one of the biggest botnets out there but it sends a high volume of malicious content and is responsible for about 5 million spam emails. "
Dozens of Web sites offer URL-shortening services and spammers have realized that using these services eliminates the need to solve a CAPTCHA or register an account, according to MessageLabs.
"Previously, when spammers used other services types of services to obfuscate the location of and redirect links, they had to create accounts which require solving a CAPTCHA," said Sergeant. "URL-shortening services don't require registration to create a short link, and so spammers can easily automate that process. The danger of these short URLs is that you don't know where they will take you. They send an email that's hard to stop with URL blocking services because they can't outright blacklist short URLs in general. The short URL obscures the real domain name. Spammers have been doing this for a while by trying to find redirection services, and this is the next level of that."
While the tactic is new, the spam content, said Sergeant, continues to be the typical weight loss and male-enhancement advertisements that include links to a Web site where these kinds of products are sold.
"While we're not seeing it yet, it's entirely possible that those sites could have some sort of drive-by attacks with malicious content and executables," said Sergeant.
Some common shortened-URL spam headlines observed by MessageLabs include:
- Read This Article. Suggested By User.
- User has sent you article: Is Working Online At Home The Next Gold Rush?
- We should try something like this
- Just thought you might want to see this
-I just started doing this :) wanted to share it with you.
"Make sure it's an email you expected from someone you know," said Sergeant. "You'll often see emails from people you know, but there's a strong potential that it's coming from a botnet as well. Look at the content or clues, and if you can, verify that this person actually did mean to send you something. Generally the bad ones will have bad wording and you can tell if it's coming from a machine. Try to verify another means by using instant messenger or phone."