Archived Blog

Google Docs is being used to host spam

06.12.2008 - 1:03 PM

Websense Security Labs is constantly monitoring spam for new trends. In the past we have blogged about captcha breaking to gain access to popular free email services. Captcha breaking has allowed spammers to take advantage of the good reputations of services such as Google's Gmail and Microsoft's Live Mail. It has also allowed spammers to create a large number of spam sites on free, hosted services, including Google's Blogspot, and now, Google Docs. Google Docs is a popular Web site that allows users create documents, spreadsheets, and presentations online, and then easily share the documents among multiple Internet users.

Google's Blogspot is still hosting a large amount of spam

Spammers' exploitation of services like Blogspot to host spam has been discussed (and complained about) for a few years now. A study in 2007 from WebmasterWorld even stated that 75% of all blogs on Blogspot were spam.

This practice has continued largely due to spammers taking advantage of a Web site's popularity in order to bypass content filters that rely heavily on reputation.

The screenshots below show recent examples of Blogspot being used for spam redirects.

Figure 1) Spam email containing Blogspot URLs

As we have stated in prior blogs, most Blogspot spam URL content contains obfuscated JavaScript, as highlighted below.

Figure 2) Source code hosted at the Blogspot URL (mainly an obfuscated redirector)

The next image shows the code once the obfuscation is removed. As you can see, it's a simple redirect.

Figure 3) Partial unobfuscated source code from a Blogspot spam URL, showing the URL redirect

Finally, this is the target site for the spam email:

Figure 4) The resulting spam site, after the redirect

A more recent twist on the use of Blogspot for spam has been to put the spam content on Blogspot itself, rather than using a redirect.

Figure 5) A Blogspot page showing embedded spam content

Google Docs now being used to host a large amount of spam

Google Docs is another Web 2.0 service that has been abused recently. Spammers have been sending out messages containing links to their Google document, which contains content that serves as a portal to a spam domain. For example:

Figure 6) The Google Docs site

Figure 7) Email containing links to spam hosted on Google Docs

Here is the Google document referenced in the message above:

Figure 8) Google document containing spam

Conclusion

We expect to see more and more spammers taking advantage of free services to host spam, phishing, and malicious sites, since the captchas that previously deterred them from creating free accounts has become less effective.

Security Researcher: Chris Astacio

 

Bookmark This Post: