arrow left facebook twitter linkedin medium menu play circle

How Spammers Conduct Mass URL Spam Attacks

By Sathya Chandran August 20, 2018

Photo of Sathya Chandran

about Sathya Chandran
Security Research Scientist at DataVisor // Sathya is an expert in applying big data and unsupervised machine learning to fraud detection, specializing in the financial, e-commerce, social, and gaming industries. Sathya holds PhD in CS from the University of South Florida and has previously worked at HP Labs and Honeywell.

URL Representation

Spammers are known to promote a variety of products or services using URLs. URL spam can be distributed via a number of channels such as emails, texts, and social media. Social media, in particular, is a great channel for spammers and fraudsters alike as user-generated information can be easily disseminated through the network. Content shared on social platforms can also appear more “trustworthy” since it is coming from people in our social network, potentially increasing the odds that a user will click on an unknown link.

A successful spam campaign is one that obtains maximum return-on-investment (ROI) to the spammer. This means that a spam campaign must reach as many end users as possible, must be robust in the face of blacklisting efforts, and must be scalable. This blog post describes some of the recent techniques employed by spammers to distribute malicious URLs on social media platforms as observed by DataVisor.

Distribution techniques:

Spammers adopt a number of techniques to increase their reach while mitigating the risks of being blacklisted by the social platform. Instead of acting out in bursts, they can perform intermittent, low-volume promotions such that their activities are spread out over time to avoid drawing attention. They can rent out botnets of compromised hosts to use as proxies when distributing spam, rendering IP blacklisting or reputation-based solutions ineffective. Sometimes spammers also promote or post legitimate content intermixed with malicious URLs, allowing their activities to appear similar to that of normal users.  In some cases, compromised user accounts are used to distribute spam, making detection even more challenging. Spammers can purchase leaked credentials from underground markets or compromise accounts themselves if they have the resources. Often, spam URLs promoted via compromised accounts are oblivious to the account owner.

Masking techniques:

A successful spam campaign requires more than just reaching a wide audience without being detected. A spammer must also make sure the promoted URLs are not blocked by service providers, which can easily happen if static URLs are used.  There are a couple common techniques to avoid blacklisting and mask spam URLs.

1. URL Shortening:

A common spam masking  technique is to use a URL shortening service, such as Bitly, Google URL shortener, Is Good, and TinyURL. These services generate a “short” version of a long URL for the purposes of link sharing. Spammers take advantage of this feature to hide the true landing page of a malicious URL, as well as piggybacking on the reputation of URL shortening services (they are so popular that social media platforms rarely block them).

URL Shortener Example

 2. Open Redirection:

Spammers and fraudsters have been known to exploit websites or services that automatically redirect users to a different URL, e.g., based on query parameters specified in the web request. This is known as the open redirect vulnerability and has also been exploited in search engine results, including those from Baiduand Google Maps.

Redirection chain from an example spam URL

Masking techniques:

Spammers typically host their spam infrastructure on “bulletproof” hosts rented out from cloud services or other underground service providers. Given the cost of spam infrastructure, spammers are incentivized to reuse the landing site for subsequent spam campaigns.

The landing site can be set up to redirect incoming requests and serve multiple campaigns simultaneously.

An example of URL redirection attack where the landing server is reused to serve multiple spam campaigns

These are just examples of how spammers are constantly coming up with new ways to evade existing fraud detection solutions. Online services that allow user-generated content should analyze user behavior from multiple dimensions and seek solutions that do not rely on known patterns of malicious activities. If you are interested to read more about technical details of some of these techniques we discussed here, head over to our DataVisor Research Medium site.

Popular Posts

Intelligent solutions. Informed decisions. Unrivaled results.

DataVisor Fraud Index Report: Q2 2019

Learn More

The DataVisor Q2 2019 Fraud Index Report is here.

Customers online want convenience, ease, and access. Fortunately, your business offers it all. Unfortunately, that’s what fraudsters want too. To a cyber criminal, those features mean vulnerabilities. To bring you the very latest and most actionable insights about where the risks are and what you…

Dumb & Dumber vs Ocean’s 11

Learn More

Understand the range of modern fraud attacks to ensure complete coverage for your organization.

Complex and coordinated fraud attacks that are extensively planned, hard to detect, and highly scalable are the new normal for online platforms. Explore and understand the full spectrum of fraud attacks—from simple to sophisticated—and learn how you can defend against each type in this…

Diagnose and Defeat Application Fraud with the Latest AI-Powered Tools

Learn More

Learn how leading financial institutions are using ML to proactively detect card application fraud.

In this insightful webinar, you’ll explore how organizations are leveraging AI-powered fraud management solutions to get tangible, real-world benefits as they work to proactively detect and defeat sophisticated modern fraud attacks. Plus, you’ll discover strategies for empowering cross-team…

Protect your business, your customers, and your data.

Request Demo