A new (well, to me) spam vector: google.com

This is, I must say, very clever. In my latest round of inbound spam, I’ve noticed that some senders have begun sending valid links to http://google.com/ in their messages. The technique they’re using is to obfuscate a target URL inside a Google “I’m feeling lucky” query: this means that the domain near the left of the URL really is google.com and doesn’t need to be faked, but it immediately reroutes a click to the spammer’s target, which is difficult to read due to some escaping. This is a cute social engineering attack, riding on Google’s brand and domain name to gull the unwary into clicking.

An obvious variant of this technique would be to seed a link farm with statistically improbable phrases, such that an “I’m feeling lucky” search for some innocuous but unlikely term, e.g. “woozy numbat playing kazoo”, would end up with a spammer’s site advertising something rather less wholesome as the number one hit. A spammer could even extend the use of SIPs to provide a canary trap to validate email addresses:if the inbound search term is “feral pet smells linux”, and we only sent that combination to user@domain.com, then the address must be valid.

Posted in web

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>