By Andrew Brandt
Spammers hawking “fun videos” have been worming their way into Google Groups, the global message board Google built on the skeleton of the old Usenet network. Only, the pages the spammers point victims to, which don’t actually contain videos, come with a nasty surprise: Rogue antivirus apps.
The attacks began late last year, but have been increasing in frequency through the holidays, and haven’t abated in the new year. The users sending out the spam messages all use free Gmail accounts (one even named his spam account Santa Claus), and have been requesting access to both open-membership and closed-membership Groups, the latter of which require an administrator’s approval. Once added to a group’s member list, the spam accounts post brief messages (an example shown at left) with a link.
The URLs originate from a number of link-shortening services, but they all work the same way: Each shortened link points to a different, unique subdomain of the Utah-based free Web hosting service 150m.com. Those pages contain a single line of code which redirects the browser to one of several servers with Chinese domain names. Those servers, in turn, redirect the browser to the website hosting the rogue antivirus installer. The shortlinks and Chinese websites only remain viable for a day or two, at most.