?

Log in

No account? Create an account

Previous Entry | Next Entry

Spam network: Hold on to your networks!

I get, as most folks do, a lot of spam in my inbox. A lot of spam.

And, as most folks who follow my blog know, I dedicate some time to tracking down that spam, especially when it involves hacked Web sites.

Lately, I've been getting a tremendous amount of spam that all looks pretty similar. It usually offers phony lose-weight-quick products, miracle hair regrowers, and other health and beauty scams, and the emails all tend to look pretty much the same. Here's an example:



Pretty bog-standard stuff.

These emails invariably contain URLs that are either hacked sites or sites that have no content at all on the home page. The hacked sites are straightforward; the spammers hack the site, put in a new subdirectory, and put an index file that redirects to another site. The sites that have no content on their top level are a puzzler; it's not clear if the spammers are setting up these sites themselves, using fake or stolen credit card information, or are hacking into sites that have been reserved and configured for hosting but have never had any content placed in them.

Where it gets interesting is in what happens after that.

Clicking on the URL in a spam email takes you to the hacked or blank site, and leads to a redirector. The redirector leads to another, and another, and another, and another, until you finally end up at the spam site. The chain of events looks like this:



The first stop on the chain is ow.ly, a URL shortener used by Hootsuite, the social media company that lets you manage multiple Twitter, LinkedIn, Facebook, and other social media accounts.

Hootsuite is a large, rapidly-growing company that is filled with bright, ambitious programmers who appear to know very little about security and nothing at all about abuse prevention. I wrote a blog post a while ago with a flowchart of Web 2.0 startups; Hootsuite appears to be somewhere in the early stages of the Loss of Innocence part of the chart, having not yet keyed into the fact that their URL shortener is becoming popular with malware droppers and spammers. (The poor naive dears are still so innocent, they have no mechanism at all for reporting ow.ly spam! I predict that's going to bite them in the ass in an ugly way, soon.)

After that, things get more interesting.



The ow.ly URL shortener redirects to a site called neoncoupon.com. It's hosted on Webhosting.net and appears to be little more than a traffic redirector. The whois looks like this:

Domain Name: neoncoupon.com
Registrar: Name.com LLC

Expiration Date: 2013-09-19 15:44:22
Creation Date: 2012-09-19 15:44:22

Name Servers:
ns1.p02.dynect.net
ns2.p02.dynect.net
ns3.p02.dynect.net
ns4.p02.dynect.net

REGISTRANT CONTACT INFO
Whois Privacy Protection Service, Inc.
Whois Agent
PMB 368, 14150 NE 20th St - F1
Bellevue
WA


So nothing useful there.

The next stop on the chain, remindercontrol.com, is hosted on a different IP address on the same Web host, Webhosting.net. Its Whois looks almost identical:

Domain Name: remindercontrol.com
Registrar: Name.com LLC

Expiration Date: 2014-06-15 16:05:03
Creation Date: 2012-06-15 16:05:03

Name Servers:
ns1.p02.dynect.net
ns2.p02.dynect.net
ns3.p02.dynect.net
ns4.p02.dynect.net

REGISTRANT CONTACT INFO
Whois Privacy Protection Service, Inc.
Whois Agent
PMB 368, 14150 NE 20th St - F1
Bellevue
WA


So it's safe to say these two traffic redirection domains (and likely more like them) are probably owned by the same people.

The next stop is interesting. It's affiliate.mlntracker.com.

mlntracker.com advertises itself as the "Million Dollar Network: Private network for seven-figure affiliates". It clams to be invitation only. They have a Twitter feed and an associated Web site that brags, "We allow only a few select super affiliates as publishers for our offers."

Their offers apparently including fake get-thin-fast products advertised by spammers and hackers. Hey, if you can get seven-figure incomes, who cares where they come from, right?

From the super-exclusive million-dollar wankers, the next stop on the chain is a site called hxoffertrack.com. This site is hosted by cakemarketing.com. Going to that site's top level results in a redirect to getcake.com, which bills itself as a "SaaS platform providing business intelligence for performance marketers". In non-buzzspeak, that means it offers analytics to let people see how well their Web sites and email campaigns are doing.

The whois for hxoffertrack.com looks like this:

Domain Name: HXOFFERTRACK.COM
Registrar: GODADDY.COM, LLC

Created on: 02-Apr-13
Expires on: 02-Apr-14
Last Updated on: 26-Apr-13

Registrant:
Domains By Proxy, LLC
DomainsByProxy.com
14747 N Northsight Blvd Suite 111, PMB 309
Scottsdale, Arizona 85260
United States


As per usual, the owner is hidden behind a proxy. And color me unsurprised to see GoDaddy involved in this somehow...

Finally, we get to the spam site itself, in this case hydroxatone.com. The spam site is hosted on Rackspace (no surprise there, either). And, oh, look, there's GoDaddy again!

Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name: HYDROXATONE.COM
Created on: 07-Apr-05
Expires on: 07-Apr-14
Last Updated on: 01-Mar-13

Registrant:
Domains By Proxy, LLC
DomainsByProxy.com
14747 N Northsight Blvd Suite 111, PMB 309
Scottsdale, Arizona 85260
United States





So to recap: The spammers hack a site, or possibly set up a blank site. They put a redirector on the site which goes through two stages of redirection on sites they probably own, then through a "private affiliate marketing site for seven-figure affiliates" that appears not to care too much about where their affiliate traffic comes from, then through an analytics company, then finally on to the spam site itself.

It has been common practice for a long while for spammers to hack Web sites, install redirectors on them, and point the redirectors to the actual spam Web sites. That way, when people complain about the spam, the hacked Web sites get shut down...but the actual spam sites themselves live on, since nobody can be arsed to follow the chain.

It seems they're getting savvier, though. I can guess what the "invite-only" seven-figure-affiliate thing is probably all about: a network of spammers, for spammers, by spammers. Traditional organized crime could learn a few lessons about organization from online organized crime!

The addition of analytics to the spam shows a new level of sophistication. Spammers have long been skilled at emotional manipulation; analytics data allows them to fine-tune their pitches, carefully monitoring what kind of spam gets the best results.


Comments