URL shortening services are deservedly popular with Internet users, but unfortunately they are loved by cyber crooks and spammers as well.
While regular users appreciate having their links shortened so that they can include them in tweets, the malicious ones mostly use them to conceal the fact that the offered links look suspicious to both users and spam filters.
Over time, legitimate URL shortening services such as bit.ly and others have managed to find a way to detect malicious links fast and revoke them immediately after spotting them, so online scammers had to change tack.
According to the latest monthly threat report by Symantec, the company’s researchers have begun spotting URL shortening services dedicated to shortening malicious links way back in May, but this last month they discovered a spam gang that is operating over 80 such services.
Interestingly enough, the sites hosting these services are not hidden – anyone can land on those pages and take advantage of the services.
“Spammers are using a free, open source URL shortening scripts to operate these sites,” explains Symantec’s Nick Johnston, and adds that all of the services operated by this gang use a similar naming pattern and the .info top-level domain which, in theory, should make the job of blocking them relatively easy.
This particular gang often includes those links into emails purporting to come from acquaintances of potential victims, using lines such as “It’s a long time since I saw you last!” in order to get them to follow the link which practically always takes them to a pharmaceutical spam site.
“The domains used for the URL shortening sites all have the same contact information, with all contacts based in Moscow,” says Johnston, but adds that the domains are all hosted by a UK subsidiary of a large hosting company, which has been notified of the fact.
To download Symantec’s Intelligence Report for October, go here.