Fake URL shortening services - an innovation of the Runet
These sites are similar to regular URL shortening services, but there are some oddities in their behavior. In particular, they are almost impossible to find through search engines - the only thing they would have noticed is spamming. And we have every reason to believe that these sites were created by the spammers themselves.
Our analysts have identified several such sites at once, and all of them are affiliated with the same spam resources and operate on the same principle. All of them use domain names in the .ru zone, and many use hosting in Russia and Ukraine.
The scheme of their work is as follows: shortened links created with the help of fake websites are “shortened” once again on other legitimate URL shortening services. And after that they are sent to spam recipients. The ability to use an ID that looks like a real one to redirect multiple links to the same site eliminates the need to generate real IDs with a low reuse rate. In addition, such a scheme can help to go unnoticed for many spam filters.
')
Using the aforementioned method, spammers sometimes create long chains in which one shortened URL redirects to the second, second to the third — sometimes it repeats more than ten times until the link leads to the spammer’s website.
Interestingly, these new domains are registered several months before use - it is quite possible that this is another way to avoid exposure by legitimate URL shortening services, since the age of the domain can be used as an indicator of legitimacy - a genuine address shortening service will find it more difficult to identify potential violations.
The home page of the site pretends that there is nothing
This is what a spam resource looks like.
This is what spam mailing looks like.
Apparently from pictures, it is made in this example for the English-speaking user
There’s been a lot of spam in Russia lately
Our analysts have identified several such sites at once, and all of them are affiliated with the same spam resources and operate on the same principle. All of them use domain names in the .ru zone, and many use hosting in Russia and Ukraine.
The scheme of their work is as follows: shortened links created with the help of fake websites are “shortened” once again on other legitimate URL shortening services. And after that they are sent to spam recipients. The ability to use an ID that looks like a real one to redirect multiple links to the same site eliminates the need to generate real IDs with a low reuse rate. In addition, such a scheme can help to go unnoticed for many spam filters.
')
Using the aforementioned method, spammers sometimes create long chains in which one shortened URL redirects to the second, second to the third — sometimes it repeats more than ten times until the link leads to the spammer’s website.
Interestingly, these new domains are registered several months before use - it is quite possible that this is another way to avoid exposure by legitimate URL shortening services, since the age of the domain can be used as an indicator of legitimacy - a genuine address shortening service will find it more difficult to identify potential violations.
The home page of the site pretends that there is nothing
This is what a spam resource looks like.
This is what spam mailing looks like.
Apparently from pictures, it is made in this example for the English-speaking user
There’s been a lot of spam in Russia lately
Source: https://habr.com/ru/post/121041/
All Articles