Spammers are known to promote a variety of products or services using URLs. Spam URLs can be distributed via a number of channels such as emails, texts, and social media. The latter is an especially attractive channel for spammers and fraudsters alike, due to the ease with which any user-generated information can be disseminated. Content shared on social platforms can also appear more “trustworthy” since it is coming from people in our social network, potentially increasing the odds that a user will click on an unknown link.
A successful spam campaign is one that obtains maximum return-on-investment (ROI) to the spammer. This means that a spam campaign must reach as many end users as possible, i.e., must be scalable, and must be robust in the face of blacklisting efforts. This blog post describes some of the recent techniques employed by spammers to distribute malicious URLs on social media platforms as observed by DataVisor.
Stealthy Spamming at Scale
Spammers adopt a number of techniques to mitigate the risks of being blacklisted by the social platform. Instead of acting out in bursts, they can perform intermittent, low-volume promotions such that their activities are spread out over time to avoid drawing attention. They can rent out botnets of compromised hosts to use as proxies when distributing spam, rendering IP blacklisting or reputation-based solutions ineffective. Sometimes spammers also promote or post legitimate content intermixed with malicious URLs, allowing their activities to appear similar to that of normal users.
In some cases, compromised user accounts are used to distribute spam, making detection even more challenging. Spammers can purchase leaked credentials from underground markets or compromise accounts themselves if they have the resources. Often, spam URLs promoted via compromised accounts are oblivious to the account owner.
Evading Blacklisting with Open Redirection
A successful spam campaign requires more than just reaching a wide audience without being detected. A spammer must also make sure the promoted URLs are not blocked by service providers, which can easily happen if static URLs are used. To avoid blacklisting, spammers obfuscate their URLs using many creative approaches so that no two are identical.
A common obfuscation technique is to use a URL shortening service, such as Bitly, Google URL shortener, Is Good, and TinyURL. These services generate a “short” version of a long URL for the purposes of link sharing. The “short” link still redirects to the original page, but often contains the hash (or some other unique identifier) of the original URL that masks the original string. Spammers take advantage of this feature to hide the true landing page of a malicious URL, as well as piggybacking on the reputation of URL shortening services (they are so popular that social media platforms rarely block them). By distributing URLs in its shortened form, and leveraging URL shortening services for redirection, the spam can appear much more innocuous.
More generally, spammers and fraudsters have been known to exploit websites or services that automatically redirect users to a different URL, e.g., based on query parameters specified in the web request. This is known as the open redirect vulnerability [1,2]. In addition to URL shorteners, this vulnerability has also been exploited in search engine results, including those from Baidu [3, 4] and Google Maps .
Here is an example spam URL that leverages multiple open redirection vulnerabilities. The spammers post a shortened bit.ly URL that contain multiple levels of redirection, going through Google search results to mask the destination, http://www.evil.com:
In the Google URL, “sa” and “usg” are query parameters that are associated with the “url” parameter. Only when both values in “sa” and “usg” are correctly tied to the given “url” will Google automatically redirect, i.e., without a warning message. There is no public documentation for Google search query parameters, but is appears that the “usg” is a hash value computed for certain validated pages that do not need a redirect warning message. By reverse engineering the “usg” hash value for their malicious site, the spammers are able to force Google to perform redirection automatically. This particular vulnerability has been reported as early as 2011 .
Spam Infrastructure Reuse
Spammers typically host their spam infrastructure on “bulletproof” hosts rented out from cloud services or other underground service providers. Given the cost of spam infrastructure, spammers are incentivized to reuse the landing site (e.g., www.evil.com in our example) for subsequent spam campaigns.
The landing site can be set up to redirect incoming request based on the query parameters, the timing of the request, or other configurable attributes. This way, the spammers can serve multiple campaigns simultaneously and easily switch between different target websites.
These are just examples of how spammers are constantly coming up with new ways to evade existing fraud detection anti-fraud solutions. Online services that allow user-generated content should analyze user behavior from multiple dimensions and seek solutions that does not rely on known patterns of malicious activities. Head over here if you are interested in learning more about how DataVisor can help.
 “Unvalidated Redirects and Forwards Cheat Sheet,” The Open Web Application Security Project, https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
 “CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’),” Common Weakness Enumeration. https://cwe.mitre.org/data/definitions/601.html
 “Open Bug Bounty ID: OBB-84142.” https://www.openbugbounty.org/reports/84142/
 “Open Bug Bounty ID: OBB-161866.” https://www.openbugbounty.org/reports/161866/
 “Open Bug Bounty ID: OBB-292851.” https://www.openbugbounty.org/reports/292851/
 “Google: Malware URL Redirection (Google Arbitrary URL Redirect Vulnerability),” YGN Ethical Hacker Group Blog, August 28, 2011. http://bl0g.yehg.net/2011/08/google-malware-url-redirection-google.html