I’ve written about the phenomenon of spammers hiding their content in Google Docs before, and we’re starting to see new outbreaks using this trick. Why should spammers bother to serve up their content on Google Docs, rather than use their own hosting locations? Well, we saw what happened when McColo was taken down, which demonstrates how vulnerable spammers can be to their hosting facilities (even though researchers claim that the zombie command & controls were hosted there, and not the spam content itself). So why Google? Well, Google has a strong reputation, which helps email messages with Google Docs hyperlinks inside get past traditional anti-spam methods. Also, many traditional URL filtering solutions won’t have the depth-of-knowledge necessary to block one Google Docs link (containing the spam content) vs. another one (containing, say, a document from a colleague). In other words, using a legitimate site like Google Docs to host spam content will either bypass traditional email and web filtering solutions, or “train” them that Google Docs is bad, which leads to false positives, i.e. blocking of legitimate content.
Now that we know why Google Docs may be making a comeback, let’s see what products are being promoted. I’ll give you two guesses… yup, you got it, dating and pharmaceuticals. The funniest sample I saw was one that mixed them both, with a subject line that said “Don’t be by yourself any longer” and linked to an ad for Viagra, Cialis, Levitra, etc. Perhaps the spammer meant that by using these enhancement drugs, the recipient would be able to get a date. I’m just kidding, of course; probably they just got mixed up, since most of the samples I saw had matching subject lines to landing pages, i.e. the subject dealt with dating/ relationships (“Someone is waiting for you”) and so did the landing page, like this one:
Note that the landing pages have a much more professional look than the previous Google Docs outbreak we reported about.
The fact that the landing pages look much more polished could mean one of two things: it’s either a different group of spammers, or it’s the same spammers, improving their designs.
Note (Commtouch plug): Commtouch Recurrent Pattern Detection Technology blocks this type of spam because they are identified based on the recurrent patterns in the message outbreaks.