For some time now we have noticed spam campaigns using livefilestore.com URLs. Here is a recent example:
The livefilestore.com domain is owned by Microsoft and is associated with their SkyDrive (previously known as Windows Live Folders) online file storage service. Users can upload files to SkyDrive and access them from anywhere with a web browser. Uploaded files can also be made public - open to anyone.
The URL links in the spam point to small Html files hosted on the livefilestore.com servers. The Html files contain two layers of obfuscated Javascript. Here is the first, which simply utilizes the javascript unescape function:
Once this snippet is unescaped, the following Javascript is revealed, which contains a simple function that redirects the browser, via a location.replace, to another domain:
In this case the obfuscated domain is http://pointgoodfun.com, which is an online gaming site.
In addition to gaming, we have noticed other spam campaigns using livefilestore.com that redirect to online pharmacy sites. One of the botnets active in these campaigns is Pushdo.
The use of the livefilestore servers to host files is yet another case of spammers using online free web services to carry our their business. The advantages for spammers are numerous:
- Free file hosting
- Automatically created unique URLs
- URLs unlikely to be easily blacklisted (although we note URIBL has listed various livefilestore.com domains recently).
The challenge for the web service providers is to crack down on this sort of abuse, although that is easier said than done.
