If the gigantic distributed denial of service (DDoS) attacks against the spam blacklisting operation Spamhaus wasn’t proof enough: spammers have trouble steering around blacklists and other reputation-based filters. Even if the language in their message is generic enough to avoid detection, dropping a link to a known, malicious- or compromised domain is plenty to get an entire message dropped.
Spammers without a legion of 100,000 bots at their fingertips have to get creative about getting their message into the target’s inbox. Lately, a method that’s drawing attention is to leverage low-security redirection services to whitewash a link to a ‘known-malicious’ or merely suspicious sites.
Barracuda Networks said that it has captured spam attacks that are combining a Yahoo based URL shortening service with Google’s free Translate service to whitewash links in spam e-mail messages and evade automated detection.
The message, which was sent to a Barracuda “honeypot” system includes a URL-encoded representation of a link shortened using y.ahoo.it – Yahoo’s link shortening. service. Clicking that link sends the victim to Google translate, which fetches the shortened URL and follows it to a hacked WordPress-backed website in France, Barracuda said. Visitors to that site are then redirected to what Barracuda describes as a rogue pharmacy web site.
This isn’t the first time Google’s Translate has been harnessed by online bad guys. Security and malware experts starting sounding alarms about Translate being used as a redirector to malware sites more than a year ago.
The use of online translators as redirectors isn’t specific to Google. In each case, the spammer takes advantage of the good reputation of the website to evade spam filters, while also exploiting the relatively lax security of small web sites to install scripts to do redirection to malware sites or push malware directly to victims’ machines, Barracuda said.