With the popularity of microblogging and social networking sites such as Twitter and Facebook, more and more people have been using URL shortening services such as bit.ly and TinyURL. URL shorteners are URL redirection services that generate a short URL version of a long URL link.
Because these services mask the original URL, spammers are extensively abusing it to hide the original advertised links in the message body. Over the past couple of weeks, at least three of the high profile spam botnets including Donbot, Rustock and Pushdo have been observed to spam pharmaceutical links and gambling sites by using short URL versions of the link.
Donbot spam campaigns have used these URL shortening services:
- aafter.us
- bit.ly
- hurl.ws
- is.gd
- jh.to
- jtty.com
- myurl.in
- o.ly
- phaze.me
- snurl.com
- sturly.com
- tcbp.net
- tlink.me
- urlink.us
- urltwitter.com
- yep.it
Shortened URL points to BingoPalms.com, an online gambling website.
Rustock and Pushdo however have been experimenting with low profile URL shortening services like urlhd.com, bagofmilk.com, urlredo.com, kurl.nu and xsm.us. These shortened URLs redirect to a Canadian Pharmacy site selling sex enhancement pills.
With the exception of Donbot (whose spam has mysteriously dried up this week) the volume of spam using short URLs has been small, suggesting the spammers are just experimenting at this stage.
Sample spam campaign from Rustock (left) and Pushdo (right)
The interesting thing about the URL shortening websites used by Rustock and Pushdo is that they seem to be based off the same template. The webpage layout, the font and the PHP script used in generating the short URLs are all similar. It seems to us that the spammers have set these “services” up especially to use in their own spam campaigns.
Whatever the situation is, be wary of potential short URLs. They usually follow a similar format, i.e. a short domain followed by short random-looking string, like the following, which happens to point to the TRACElabs home page:
http://bit.ly/r8WGP
If you are unsure, you can try to preview link destinations on services like LongURL.org or Untiny.me to make sure you are pointed in the right direction.
