14 DAY TRIAL // Security researchers warn that spammers are increasingly abusing free hosting services to install redirectors with the purpose of hiding their real spam sites.
This multi-layered approach gives spammers more flexibility and makes their websites harder to detect, block and shut down.
The technique is combined with a similar abuse of URL shorteners. Many pages with unique and random URLs get created via free hosting services and are then shortened before being sent out in spam emails.
These pages use JavaScript redirect scripts and are hosted on URLs of the form http://fipxmdmzp.[censored].com/?iyzdm=yngqsa, where most of the composing parts are random.
The JavaScript code is obfuscated using some unique techniques unseen in previous attacks. This is meant to hide the spam site URL as best as possible.
“Redirecting users in this way shows that spammers are going to considerable lengths to hide the addresses of their actual spam sites, and actively trying to make more difficult detection by anti-spam companies,” writes Nicholas Johnston, senior software engineer at Symantec Hosted Services.
The method has been observed in recent spam campaigns promoting replica watches and other counterfeit goods sent out by the Cutwail botnet.
The spam output of Cutwail, which is also known as Pushdo, has varied between 5% and 10% of the world’s junk email traffic this year.
This is a relatively low number compared to last year, when the botnet was the world’s bigger spam distributor. This was before being subjected to a major takedown effort.
Cutwail has proven to be quite resilient. Another initiative managed to seriously cripple it in August this year, but it has since recovered again.
The gang behind Cutwail is known for devising new ways to evade spam detection. Back at the end of November, rogue pharmacy spam emails sent out by the botnet used CSS floating techniques and colors declarations to produce meaningful text visible only to humans.