Spammers Create Their Own URL Shortening Services

According to this report from Symantec’s MessageLabs, spammers have escalated their sophistication with URL misdirection. It works like this:

First, spammers set up a new domain that they intend to use for their evil purposes, but let it lie dormant for a few months. This is to avoid the detection of services that look for recently created domains.

Next, the spammers create their malware on one of these domains, and then use another domain to create a shortened link to their original malware URL. Finally, this link is further redirected by using a legitimate URL shortening service, so when an unsuspecting mark receives an email with this legit shortened URL, they click on it and don’t realize that they are being taken to a malware site.

Symantec has found a series of interconnected sites, all using Russian .ru domain names, and hosted in Russia and Ukraine. Some of the chains stretch across ten different sites. “These sites don’t have public interfaces, are not found in search results and do not appear on any micro-blogging services. Therefore, they are unlikely to be private URL-shortening services created by some organizations (who prefer to use their own, rather than rely on external sites),” states the report.

As you can imagine, this means that URL shorteners who want to stay ahead of this game have more work to cleanse their systems.

Hilary Mason, a scientist at, says:

“Spam is indeed pernicious. Bitly is aware of the potential abuses of short URLs and we’re proactive in protecting our users from malicious content. We have a three-pronged approach for dealing with malicious content. First, we use publicly available blacklists like Google SafeBrowse and OpenDNS’s PhishTank. Second, we work closely with our partners to stop abuse as soon as it’s detected. Finally, we developed a proprietary classification infrastructure that learns what malicious content looks like and detects such content within seconds of it entering our system. Our classifiers will follow the intermediary redirectors and identify any link that eventually resolves to malicious content. As the spammer develop new techniques we adjust our systems to compensate. This insures that you are safer clicking on a bitly link than on any random link.”

Facebook Comments