Word came down from our Threat Research team this morning about a new spam campaign that uses upstart Bing search engine’s own redirection mechanism to bypass spam filters and send undesirable links over email. On top of that, the spammers are also abusing MySpace’s lnk.ms link shrinking system to further obfuscate the destination that the spammed link points to.
When you view an RSS feed in Bing (such as their news feed, for example) all the clickable links in the feed use Bing’s internal redirection mechanism, so before you end up on the news story you want to read, your browser first connects to http://www.bing.com/news/rssclick.aspx?redir= followed by the full URL of the site you intend to visit.
The thing is, anyone can plug anything into the end of that URL, and it’ll redirect to that site. For instance, you could come back to the front page of this blog. Of course, there’s nothing in place to prevent a criminal from redirecting users to something worse, like a drive-by download or phishing page. But in this case, recipients who click the link end up bounced through MySpace’s link shrinker, and finally into a site selling a “work at home making money from Google” pyramid scheme.
The spam message shown above eventually led us to a page that looks like a news site, with a story headlined “Is working online at home the next gold rush?” The scam page uses IP address geolocation to insert the US state you’re browsing from into the “masthead” of this “newspaper,” which promises visitors they can “earn up to $978 a day*” by doing, uh, something that has to do with Google. They’re pretty vague about exactly what you’ll be working on from home (or, in their words, “from HOME”).
Apparently, once you get going, the money literally appears out of thin air in front of your laptop’s LCD display. Man, a laptop that vomits cash money like that sure would be sweet. I wish I could qualify for an amazing opportunity like that.
Note the asterisk: The fine print informs users that Google has nothing to do with this scam, and “Your level of success in attaining the results claimed in our materials depends on the time you devote to the program, ideas and techniques mentioned, your finances, knowledge and various skills.”
“Various skills,” such as sending well-obfuscated spam messages to gullible suckers potential affiliates. Yeah, that’s a growth industry.
The big question is, should you trust Bing redirection links you receive in email? Personally, I don’t think anyone should be clicking any links received in email messages, but that kind of advice is hard for some people to swallow. So, for now, I’ll just say that you should remain suspicious of all email that includes a link, especially if it looks like that link is designed to take you somewhere other than the Web address that follows the http:// prefix; and if an email with a link in it doesn’t pass the smell test, trust your instincts and don’t follow it.
Another great post.
Thank you for the information, Its good to see such quality posts.
Im subscribing to your blog.
Keep them comming.
this is not so true, under view in this page, all of the url shorten services are more dangerous to end users. they do redirection, meanwhile, you cannot know what the real url is before click.
and sites cannot bypass firewalls or filters by using this way. 301 redirection will give browsers an information to request another page, so the destination url can also be blocked by firewalls and filters.
the only impact here is, some sites can get a higher static rank on search engines, if Google, Yahoo, Bing, and other search engines do not change there algorithm.
@ Hzj_jie: Obviously, link shortening services pose a potentially grave security risk for spam recipients, whether or not there’s a redirection on the other end of the short URL. I’m not arguing with you there. And you make a good point about how filters could block an undesirable domain. But filters are reactive, and can’t respond instantly to sites that pop up then are gone within hours. And I don’t agree that in this case, this was an attempt at search engine optimization; I’m not even sure what you mean by “static rank,” because if the past year has taught me anything, it’s that no site’s search ranking remains the same for very long.
Rogue SEO has been using the domain in the referrer URLs for some time to feed bogus information to search engine spiders or crawlers in an attempt to push malicious links up in search results. The guys doing it are very good at it, and that game of whack-a-mole isn’t going away anytime soon. Search engine rank appears to be dynamic, fluid, and easily manipulated.
OMG! I’ve had many of these types of email spammers before. Thank you for shedding light about this kind of spam.
And I’ve had lots of people post spam comments, like this one, to this blog as a way to improve SEO for one web site or another. Thanks for letting us know exactly where to lower the reputation score.
Thank you for the information. I had my share of this kind of emails but didn’t really bother opening them, though they do get pass my spam filter.