Pharmaceutical spammers typically include a URL in their emails since they want to direct recipients to visit their site and purchase their (usually counterfeit) viagra, cialis, etc. However URLs are pretty straightforward to block in many anti-spam solutions, so spammers are always looking for new ways to hide their URLs. A trick that appeared last year was simply to embed the URL in an image, with instructions to the user to “copy this into your browser.” That short-lived episode couldn’t have had very high conversion rates (i.e. clicks to the URL) since users are notoriously lazy and poor copiers. So ideally, from the spammer’s point of view, the URL should be clickable, and lead right to the desired location.
Enter a more recent trick: embedding the spam URLs within a legitimate search result URL. We saw this late last year with Google “poisoning,” reported on by SANS. Google has been pretty vigilant to root out these abusers (although we still see spammers taking advantage of more off-the-beaten track google sites like Google Burundi (google.bi). During the last few weeks we’ve seen a massive outbreak of pharmaceutical spam using hyperlinks embedded in Yahoo! search results URLs. The spam looks like this:
The word “Click” is hyperlinked to a URL that looks like this (I’ve swapped out the actual spam site with the words “SPAMMERSITE”): http://rds.yahoo.com/_ylt=3DA0geu4_1hZ9HkDIA7WdXNyoA/SIG=3D=119ei8plu/EXP=3D1201723253/**http%3a//SPAMMERSITE.com/
The link redirects to the following pharmaceutical site:
For those of you who are not familiar with Yahoo’s search results, try doing a quick search for anything, let’s say, “Madonna.” The first result is:
Official site of pop diva Madonna, with news, music, media, and fan club.
www.madonna.com – 19k – Cached
If you hover your mouse over the word “Madonna” you will see that the structure of the URL is almost exactly the same as the spam URL above, in other words, “http://rds.yahoo.com/[hash]/target site URL”
It’s not as easy as it seems to swap out the target site URL with a different target URL, since Yahoo does notice these changes, probably based on a matching system between the target URL and the hashed string that precedes it. For example, if I try to swap out www.madonna.com in the previous URL with www.commtouch.com, Yahoo automatically redirects me to a page that says
This link is not authorized by Yahoo!
If you would like to continue to this link’s intended destination at your own risk, click here.
A scary warning page like that might dissuade all but the most committed viagra-seekers from clicking through. So the spammers had to figure out a way to generate Yahoo search result links that lead right to their desired landing page, without generating the Yahoo warning page. In the SANS example above, the spammers developed a search string that was so specific that their spam web site was the first result & therefore automatically selected using Google’s “I Feel Lucky” feature. But how did the spammers do it in the case of these Yahoo! links? There are two possibilities (there are probably more, but these two immediately spring to mind):
- They create a search in Yahoo that displays their site in the results, and they then simply copy the Yahoo-generated URL from the search results (similar to the google-poisoning above). However this is a very awkward way of doing it, since most of the spammer sites in this outbreak do not even appear in search results since they are new domains, or have no outside links to them. For example, when I did a “backward links” search for the URL in the message, the result was that there are no links pointing to that page.
- The other possibility is that the spammers are using the Yahoo search API to create these links that are recognized by Yahoo.
Just so we’re clear here, every single person who clicks on that spammer’s link is routed through Yahoo’s servers. And we’ve seen millions of these types of emails over the last 24 hours, with dozens of different Yahoo! URLs. It’s ingenious from the spammers’ perspective, since the Yahoo domain & its associated URLs would typically be viewed as legitimate.