Symantec Warns Of Spam Campaign Using Shortened URLs

In an effort to beat spam filters, Symantec’s MessageLabs has warned that spammers linked to the Storm botnet are increasingly turning to shortened URLs.

According to Symantec’s July 2010 MessageLabs Intelligence Report, spam with shortened hyperlinks reached a peak of 18 percent 30 April, translating to 23.4 billion spam emails. An analysis of the spam campaign has linked some of it to the notorious Storm botnet, which first appeared in 2006 before declining in 2008. The botnet re-emerged in May, and now accounts for 11.8 percent of all the spam containing shortened hyperlinks circulating the web.

Shortened URLs

“While botnets are often the source of short URL spam, 28 percent of this type of spam originated from sources not linked to a known botnet such as unidentified spam-sending botnets or non-botnet sources such as webmail accounts created using CAPTCHA-breaking tools,” said Paul Wood, MessageLabs Intelligence Senior Analyst for Symantec Hosted Services, in a statement.

The peak of 18 percent this year is more than double last year’s highpoint of 9.3 percent recorded last 28 July. In the second quarter of 2009, there was only a single day when shortened hyperlinks appeared in more than 1 in 200 spam messages, Symantec reported. In the second quarter of 2010 however, there were 43 days when that happened.

Dodging Filters

Security pros have repeatedly warned users to be wary about shortened URLs in emails and on social networks because they are sometimes used to trick people into visiting malicious sites. That wariness however should not necessarily transform into panic, as an analysis of shortened URLs in Twitter’s public timeline by Zscaler revealed they were far less likely to lead to malicious sites than search results on Google.

Still, for spammers pushing pharmaceuticals and other goods, using shortened emails can be relatively effective. According to the report, researchers found an average of one website visit for every 74,000 spam emails with the shortened URLs. The most frequently visited shortened links from spam received more than 63,000 website visits.

When it comes to spam, the name of the game is dodging filters, and any tactic that can make it harder to block email messages is going to be adopted by the spammers out there, Wood said.

“When spammers include a shortened URL in spam messages, these shortened hyperlinks contain reputable and legitimate domains, making it harder for traditional anti-spam filters to identify the messages as spam based on the reputation of the domains found in the spam emails,” he said.