14 DAY TRIAL // Spammers have began setting up their own URL shortening services in order to hide spam links and make them more resilient to takedowns.
The practice of using short URLs in spam is not new and has registered ups and downs over the past couple of years.
There was a spike of short URL spam during the last months of 2010, followed by a slow decline and now, according to security researchers from Symantec, a renewed growth.
"MessageLabs Intelligence uncovered evidence of spammers establishing their own fake URL-shortening services for the first time," the company announces in its May 2011 Intelligence Report. [pdf]
"Shortened links created on these fake URL-shortening sites are not included directly in spam messages; instead, the spam emails contain shortened URLs created on legitimate URL-shortening sites," it explains.
This gives attackers a lot of flexibility and allows them to keep their campaigns alive for longer periods of time.
According to the MessageLabs experts, the domains used to set up these private URL shortening services were registered several months ago, giving them enough history to avoid basic scrutiny; spammers normally use newly registered domains.
Most of them bear the .ru country code extension and were registered with Russian or Ukrainian companies, making them more resilient to takedown requests.
There is no public interface for regular users to create short URLs and all of the links created on such domains usually point to the same spam page. Of course, if the need arises, like in the case of a site takedown, spammers can quickly change their destination.
The domains are kept out of search results and are not used for any other purpose except creating short URLs. This is done to avoid drawing attention. to them.
"With legitimate URL-shortening services attempting to tackle abuse more seriously, spammers seem to be experimenting with ways to establish their own services to better avoid disruption," the Symantec researchers conclude.