March 19, 2006
Spammers hitch a free ride on car site
I recently received a spam on my America Online account advertising "Super H0T Se11ing Quality Meds." To my surprise, the hyperlink in the message appeared to lead to Autotrader.com.
AutoTrader.com is an Atlanta, Georgia-based company that calls itself "the internet's leading auto classifieds marketplace." Its investors include the venture capital firm Kleiner Perkins Caufield & Byers.
Was the used car site branching out into Viagra and Xanax? Nah. A closer look revealed that some clever spammer had just figured out a way to bypass AOL's URL blocklist.
When you're a spammer for a well known drug site, it can be pretty hard to get your messages past such blocklists, which contain the addresses of known "spammy" websites. Emails containing links to any of the listed URLs can cause spam filters to shunt emails off to the spam folder. But not if the URL is cleverly camoflaged.
The URL in the meds spam looked something like this (I've added line wraps):
Following the "TargetID" was a series of characters containing the URL of the spammed web site, but scrambled using Base-64 encoding. As a result, the spammy part of the address was "invisible" to AOL's filters (and to most users). Yet each time someone clicked on the link, the Autotrader.com site would automatically re-direct the surfer to the web address encoded in the URL -- in this case, a drug store called Comfort RX.
There's a legitimate use for the re-direct feature at the Autotrader.com home page. The site sports a bunch of banner ads, which, if clicked, send you to the advertisers' sites (while a ca-ching sounds in AutoTrader.com's accounts receivable department).
There's at least one other re-direct at the site, but I haven't seen any evidence of spammers abusing it. Unless admins have gotten around to fixing it, clicking the link below should demonstrate how that URL will flip you to FBI.gov:
This isn't the first time spammers have exploited such open re-directs at mainstream sites. Last year, pill spammers worked a similar vulnerability at ZDNet.com.
I imagine some spammers have a script that scours the Internet looking for sites with open re-directors. Others probably just use Google. Either way, re-directs are just another item in the devious spam king's bag of tricks.
Posted by brian at March 19, 2006 10:02 PM
Yep, I've seen so many redirects it made my head spin. One spammer in particular managed to make redirects that made his target website look like it was part of the redirecting website. Sneaky...
And as you, I believe they scan for "vulnerabilities". That's the only explanation I can find for all those redirects I found. Either that, or they use Google to scan for specific software, that they know have scripts that are vulnerable to this?
Posted by: Spamhuntress at March 25, 2006 4:22 PM
I just checked my logs on one site, and saw redirect URL's referrer spammed.
That might be how they get them into the search engines.
Posted by: Spamhuntress at March 26, 2006 2:46 PM