Crooks use t.co links to land users on pharmacy websites

Aug 6, 2014 23:05 GMT  ·  By

The t.co short URL service from Twitter is used more than any other by spammers to deliver links to pharmacy websites that distribute counterfeit products, according to a spam fighting firm.

Andrew Conway from San Francisco-based Cloudmark, a company that offers protection against email threats, reports that at the moment, more than half (54%) of the short links blacklisted by them use Twitter’s service.

He said that the spam using t.co short links comes in outbreaks that last between four and six weeks, one reason for this probably being the time required by Twitter to identify the attack and adjust its abuse filters to prevent users from reaching malicious pages.

According to Conway, the analysis of a sample of 1,200 t.co links collected in one week (July 22 - July 29) from emails reported as potential spam to Cloudmark’s systems revealed that only 59 of them (about 5%) were labeled as malicious by Twitter and access to the web pages they pointed to was blocked.

81 of the links (7%) were legitimately used and directed to risk-free locations; but most of them, 1,060 links accounting for 88%, were functional and steered to websites that were already marked as spam by Cloudmark; almost all of them are Russian domains.

Despite identifying two different brands being promoted through the spam messages, Conway noticed similarities in the advertising techniques and reached the conclusion that the same actor was behind the entire operation.

In the analyzed sample, more than 400 URLs redirected to “rxdrugstore[.]ru,” and the reason why this did not set off Twitter’s alarm bells is that the crooks used an intermediate layer of redirection.

“The t.co link redirects to a URL on a compromised domain, and that in turn uses a REFRESH meta tag to redirect to the spam landing page. This dual layer of redirection seems to be fooling Twitter. Compromised domains generally have good reputation and legitimate content on other links, so they are less likely to be blocked outright, but the spammer can use multiple malicious URLs on each one to redirect to his ultimate landing page,” says Conway in a blog post.

As for evidence of a single operator being behind the campaign, the researcher found enough to reach this conclusion. He noticed the use of a distinctive pattern for the malicious URL, and in some cases, the same website redirected to multiple locations selling counterfeit pharmacy products.

All this makes the malicious campaign a bit harder to detect and it's also more difficult to disrupt its activity by blacklisting the t.co links taking users to the locations with fake products.

Two of the most prevalent spam pages (3 Images)

The two websites t.co links redirect most often to
Pharmacy Express spam pageOnline Pharmacy spam page
Open gallery