Rise of .pw URLs in Spam Messages
Symantec has observed an increase in spam messages containing .pw top-level domain (TLD) URLs. While it was originally a country code top-level domain for Palau, it is now available to the general public through Directi, who branded it as “Professional Web”.
Figure 1. .pw TLD URL spam message increase
Looking back at the last 90 days, .pw ranked #16 on our TLD distribution list:
Figure 2. TLD distribution list - last 90 days
However, the .pw URL jumps to the fourth spot when looking at the last 7 days:
Figure 3. TLD distribution list - last 7 days
Examining messages found in the Global Intelligence Network, Symantec researchers have found that the vast majority of spam messages containing .pw URLs are hit-and-run (also known as snowshoe) spam.
These are the top ten subject lines from .pw URL spam over the last two days:
- Subject: How to sell your Timeshare
- Subject: Reusable K Cup for Keurig or single-brew coffee maker
- Subject: Reusable single-brew coffee cup you can fill with your coffee blend.
- Subject: Are your home possessions covered in case of a catastrophe?
- Subject: Elmo's Learning Adventure Gift Package
- Subject: Make Learning Fun - With Elmo & the Sesame Street Gang!
- Subject: Are your appliances and home systems covered?
- Subject: Refinance Today, Save Tomorrow
- Subject: Nothing is more EFFECTIVE for High Blood Pressure
- Subject: Mortgage Rates
Figure 4. .pw URL spam message example
Symantec will continue to monitor this trend and create additional filters to target these attacks. In addition, Symantec also advises enterprises and consumers to adopt the best practices found in the Symantec Intelligence Report.