Spammers taking advantage of IDN with URL shortening services

Posted on behalf of Nick Johnston, Senior Software Engineer, Symantec.cloud

Internationalized Domain Names (IDN) allow domain names to include Arabic, Chinese, Russian, Latin (with diacritics) and many other characters like 寿司and 한글. It has been possible to include these characters in some domains for several years, but until last year, top-level domains (like .ru for Russia) were not internationalized like this. Several top-level domains now have internationalized versions, for example .рф for Russia.

I recently saw some German pharmacy spam (targeted at Germany, Austria and Switzerland). The spam itself is fairly normal. It promotes erectile dysfunction drugs, and includes links to a popular URL shortening site:

Figure 1 – example of spam email using URL shortening service redirecting to IDN domain

Most of the spam is in German, but it does include several random English words at the bottom, presumably in a very basic and crude attempt to foil naive spam filters.

A recipient clicking on one of these links is first redirected to a site with a Cyrillic domain name. This shows a "landing page" for one second and then redirects to a site claiming to be a Swiss pharmacy:

Figure 2 – Illustration showing the redirection process

Although it is interesting that spammers are using IDN like this, users won't be aware of it unless they pay very close attention to their web browser's address bar while the landing page is being shown:

Figure 3 – Address bar showing redirected domain using .рф TLD

MessageLabs Intelligence expects the use of IDN in spam to increase in coming months, especially as it may be easier to find unregistered IDN domains. Some registrars are likely to encourage wider adoption of IDNs and are expected to offer some registries at low prices, as we've seen with the introduction of other new top-level domains in previous years.