Archived Blog

Since the popularization of the Internet, spam has become a non-detachable part of our daily life. There is probably no user on the whole network without experience of spam. Every day, criminals invent new ways of delivering unsolicited information to end users. The rules of this game have been changing almost daily. As a result of strong technology developments and progressive approaches in companies like Websense, cyber criminals have been looking for more sophisticated ways to promote products and services for their well-paying customers.

Recently, Websense Security Labs encountered an increase in Web spam delivered by different means to potential customers. Screenshot 1 shows one of Websense's analytics hits on blog and forum Web pages with spammy content increases daily. Such posts are being posted on Web sites with high reputation ranks, such as Alexa, the service used to rank Web site traffic (the greater the traffic, the lower the rank number).

Screenshot 1 - In the wild matches for one of our many Web spam analytics

Blog site boom, forums, and most noticeably, social network sites have brought completely new potential for this black market operating all over the world. According to Websense's report for the second half of 2009, 95% of user-generated posts on Web sites are spam or have malicious intent.

Screenshot 2 - Unsolicited spam posted on bebo.com - social networking site with Alexa rank 563

Screenshot 3 - Unsolicited spam posted on friendster.com - Alexa rank 274

The delivery of a large number of unsolicited email messages is becoming more and more problematic from the attacker's perspective, as email spam filters pick up such campaigns immediately (you can see examples reported daily on our Twitter account). Alternative methods to reach the end user by abusing user-generated content platforms (Web 2.0) have brought fresh wind to their wings, and has given them a completely new opportunity to rebuild their businesses. The population of thousands of forums, blogs' comments, or chats with short messages and links has become the easiest way to get a huge amount of attention from Internet users. Web spam has grown into its full strength. As you can see below, various analytics match the assortment of spammy content seen on such Web pages.

Screenshot 4 – Matches on Web and Email spam analytics

Once the user is lured into clicking on such a link, their connection is redirected to a site that usually exists for only a couple of days or weeks. These hosts, commonly used and famous in pharma world, are called Doorways – content-rich Web sites with a maximum amount of topical phrases. Such sites, specifically designed to get high ranks in search engines very quickly, link to a specific location chosen by their creator - either sites which host rogue AV or malicious content, or fake pharma sites. These links would not easily be able to get this attention if they tried to promote themselves directly, either because of a genuine lack of interest from people in searching for it, or because of strong competition between different online gangs.

Hence, posting adverts onto “clean” sites that are viewed by thousands of people every day is a much better marketing option. The trust of the users rises with the popularity of the site, thus well-known and highly-ranked Alexa sites are the best fields to aim for. Of course, everything depends on the product or the service. If you are talking about promoting cheap pharmaceuticals, fake watches, or “branded” handbags, this is the way.

Screenshot 5 - The final destination of the posted link

However, promoting luxurious items, unusual goods, or fake AVs needs a different approach – black SEO search engine optimization, which will be a topic for our next post.

Websense® Defensio customers are real-time protected against even posting such comments or messages, giving no chance to spammers. Our ThreatSeeker network is continually fed from thousands of customers using those services, and combined with our real-time analytics to detect any undesired content, this offers no chances for users to follow Web spam to its final destination and get infected or compromised.

Security Researchers: Ivan Sabo, Artem Gololobov