At DataVisor, analyzing over 4B user accounts across some of the largest financial and ecommerce players in the world gives us an unprecedented vantage point into the global fraud ecosystem. We are launching our new blog series to share data insights, attack patterns and fraud techniques that are emerging and never seen before, thus providing relevant and actionable insights for growing organizations.
In this first post, we will go over common techniques spammers use to conduct attacks at scale. Tune in to our upcoming blog posts to gain unique access into how global fraud pattern is changing.
Spammers are known to promote a variety of products or services using URLs. Spam URLs can be distributed via a number of channels such as emails, texts, and social media. Social media, in particular, is a great channel for spammers and fraudsters alike as user-generated information can be easily disseminated through the network. Content shared on social platforms can also appear more “trustworthy” since it is coming from people in our social network, potentially increasing the odds that a user will click on an unknown link.
A successful spam campaign is one that obtains maximum return-on-investment (ROI) to the spammer. This means that a spam campaign must reach as many end users as possible, must be robust in the face of blacklisting efforts, and must be scalable. This blog post describes some of the recent techniques employed by spammers to distribute malicious URLs on social media platforms as observed by DataVisor.
1. URL Shortening:
A common spam masking technique is to use a URL shortening service, such as Bitly, Google URL shortener, Is Good, and TinyURL. These services generate a “short” version of a long URL for the purposes of link sharing. Spammers take advantage of this feature to hide the true landing page of a malicious URL, as well as piggybacking on the reputation of URL shortening services (they are so popular that social media platforms rarely block them).
2. Open Redirection:
Spammers and fraudsters have been known to exploit websites or services that automatically redirect users to a different URL, e.g., based on query parameters specified in the web request. This is known as the open redirect vulnerability and has also been exploited in search engine results, including those from Baiduand Google Maps.
Spammers typically host their spam infrastructure on “bulletproof” hosts rented out from cloud services or other underground service providers. Given the cost of spam infrastructure, spammers are incentivized to reuse the landing site for subsequent spam campaigns.
The landing site can be set up to redirect incoming requests and serve multiple campaigns simultaneously.
These are just examples of how spammers are constantly coming up with new ways to evade existing fraud detection solutions. Online services that allow user-generated content should analyze user behavior from multiple dimensions and seek solutions that do not rely on known patterns of malicious activities. If you are interested to read more about technical details of some of these techniques we discussed here, head over to our DataVisor Research Medium site.