Spammers abusing major domain parking service
Domain parking services allow registration of Internet domain names without using them for services like email or hosting a website. This is often done to reserve the domain name for future use, to prevent (or carry out) cybersquatting or earn money via advertising hosted on an automatically-generated web site on the domain.
We recently noticed a large domain parking service being abused by spammers on a massive scale. Each domain hosted on the service contains an open redirect script, allowing spammers to redirect to any URL of their choice. The only minor restriction is that URLs have to be base64-encoded: in other words, a redirect URL of "http://symantec.com" must be specified as "aHR0cDovL3N5bWFudGVjLmNvbQ==".
This type of abuse is particularly interesting, as it's important to note that spammers have not compromised the service directly: they are simply taking advantage of a feature of the software in use. Since the redirect does not affect the parking page, and domains parked on domain parking services are typically not used for any other purpose, it is unlikely that the domain owners will notice when their domains are inevitably added to anti-spam blocklists. It is also possible that the domain parking service was not aware of the abuse. We have informed the domain parking service of the abuse.
This abuse could be effective against some anti-spam products since many of the domains affected have been registered for years, and therefore seen as more likely to have a good reputation.
Spammers are currently using this to redirect to "get rich quick" sites, which spoof a popular US broadcaster, as shown in the screenshot below:
We have automatically blocked tens of thousands of these domains.
This latest abuse shows the lengths spammers are prepared to go to in attempting to conceal their spam sites.
To help prevent this type of abuse, we recommend that any redirecting scripts check the HTTP "Referer" [sic] header before redirecting. Using cryptographic hashing can also be useful, as can restricting the set of sites which can be redirected to.
About Symantec Intelligence
The Symantec Intelligence Blog published by Symantec.cloud serves as a conduit for communicating Intelligence data, trends and statistics based on analysis of cyber security threats, trends and insights from the Symantec Intelligence team comprised of many world-renowned malware and spam experts. Sitting on the front lines of defense, they have a global view of threats across multiple communication protocols drawn from the billions of web pages, email and IM messages they monitor each day. Filter by:
Recently on Twitter
- symanteccloud: RT @SymantecSMB: Symantec Execs named 2013 #smb150 winners. Check out the full list from @smb150 here http://t.co/12bZ2YOqeD15 Mar 2013
- symanteccloud: RT @Symantec The Mountain View Cyber Readiness Challenge is today. Are you #CyberReady? Bring your A-Game: http://t.co/eKi66Iqbbd13 Mar 2013
- symanteccloud: RT @SymantecSMB: Texas nonprofit gets simple, effective endpoint protection from the cloud w/ SEP Small Biz Edition 2013: http://t.co/St ...11 Mar 2013
- symanteccloud: Symantec named one of the World?s Most Ethical Companies for computer software by @ethisphere: http://t.co/adz1j3I8P807 Mar 2013
- symanteccloud: 10 Things Really Amazing Employees Do http://t.co/6exuGTVJk7 via @Inc05 Mar 2013