Spammers rely on all kinds of tricks to circumvent anti-spam filters, one of them is to send messages from clean addresses, that is, they are not blacklisted, and another is to camouflage the links so that they are not suspicious.
To solve the first problem, they often steal or compromise legitimate email accounts. Surely you ever received strange emails from your friends, meaningless and with strange links … well that was spam As you can see in this article that I published last year (see also the problem that this has caused the University of Oxford).
On the other hand, to send junk or malicious links without them being blocked, they usually camouflage them with redirects. In this way, the links that are received in the first instance do not seem suspicious for antispam filters, but when they are clicked, they can end up anywhere.
One of the most common ways of camouflage is to infect vulnerable sites to take advantage of the good reputation of their domains. You can see an example in this article where I comment on a case of pharmaceutical spam and show the statistics of the site after being infected.
There are many other techniques, the most obvious one would be to directly use URL shortening services such as bitly.com, tinyurl.com, goo.gl, among others. But they are not usually very effective with the filters and also the services themselves can block the redirects if they detect that it is spam. Campaigns have also been detected in which spammers use their own services to shorten URLs.
As we see is a fairly broad topic that can be addressed in many ways, what I am interested in showing in this article is the use of Google to camouflage and redirect links.
Redirects with Google Drive:
I recently commented that Google Drive hosting could be maliciously exploited to host phishing pages. Well, it could also be used as a redirector, let's see the example:
You can see that the link points to googledrive.com (httpS included) which is a Google domain and therefore in principle you could say that it is safe. Many antispam filters are not going to block it, however if you take advantage of it to perform redirects by clicking it could end up anywhere on the internet.
You can test it with a click on the following link, you will notice that a redirection is made to Bing: https://googledrive.com/host/0By3GG2jFCV3wdUh4WlRtTWRFQXM/redireccion-bing.html
In this case I use the following code:
It could also be done with scripts or by inserting iframes.
Redirects with Blogger:
With Blogger you can do something similar and in fact spammers have taken advantage of it for a long time creating spam blogs. You can see an example in the following blog that I have created as a test for this article: http://testspamloco.blogspot.com
It is possible that the Blogger team will delete it, although it does nothing wrong … just perform a redirect to Bing with the following script:
In this way spammers can spread their camouflaged links as if they were links to Blogger blogs. At the end of the article I have published an example video where I show how a redirect of this type could end up infecting our computer.
Redirects with Google translator:
Using the translator to circumvent the filters is not something new either, basically what they do is send the URL that the application generates when translating a page. This way users and antispam filters see a reliable link to Google com but when accessing, a redirect code is executed:
The previous capture I have taken from the ESET Spain blog where a recent case that takes advantage of this technique is discussed.
Redirects with Google results:
One last technique that could be discussed is to directly send the link that is generated with each Google result. Let's see the example, in the following screenshot you can see that when passing the pointer over the first result, the URL has the following format https://www.google.com.uy/url?…
The full link is as follows (click here):
It looks like a link to google.com.uy but when you click you will notice that a redirect to Wikipedia is done.
Well, an attacker could propagate links in this way to camouflage them, although it would have a drawback and that is that it needed its malicious or spam pages to be indexed in the search engine to be able to copy the link.
Although they can be edited since one of the parameters that make it up is the destination URL itself, there is a variable called ei that always changes as if it were a security code. In this way when editing the link the following happens.
Edited link (click here):
As the variable ei does not correspond to the destination URL, a redirect warning is displayed for security:
In general, it is not difficult to detect spam, it is enough to have a little common sense before clicking on the links, but to train common sense it is necessary to see examples and have an idea of the techniques that attackers usually use. That is why I write this kind of article, if we learn to detect these deceptions we will avoid many headaches.
In the following demonstration I put myself in the role of a victim and an attacker who wants to infect his computer, for this he sends him a camouflaged link with Blogger that initiates the download of a Trojan. The team on the right represents the attacker (Backtrack + Metasploit) and the team on the left represents the victim, in short what happens is the following:
one- the victim receives an email asking them to complete a form to become a millionaire2- You download it thinking it is a .doc file but it is actually an .exe (double extension trick)3- when you open it nothing happens and the attacker takes control of your computer
I hope the article is interesting and as I mentioned before, the best way to avoid these tricks is to understand how they work.