Rise of .in URLs in Spam

Symantec has observed an increase in spam messages containing URLs using the country code top-level domain (ccTLD) for India. This chart shows percentage of spam containing .in URLs:

While there were few daily spikes last year, clearly there has been more activity in the last two months.

Looking back at last year, the ccTLD for India (.in) ranked tenth on our TLD distribution list:

Rank TLD % of URL Spam
1 .com 58.89%
2 .ru 9.16%
3 .info 8.57%
4 .net 6.10%
5 .org 3.39%
6 .br 2.56%
7 .ua 2.10%
8 dotted quad 0.69%
9 .uk 0.59%
10 .in 0.50%

However, the .in ccTLD jumps to the fifth spot when looking at the last month (while the percentage more than quadruples):

Rank TLD % of URL Spam
1 .com 68.47%
2 .ru 7.13%
3 .net 5.45%
4 .br 3.20%
5 .in 2.34%

Examining messages found in the Global Intelligence Network, Symantec researchers have found that the vast majority of spam messages containing .in URLs is hit & run spam. Back in March of this year Symantec noted an increase in hit & run spam and .in URLs appear to be associated with it.

Here are top ten subject lines from .in URL spam over the last five days:

Subject: Avoid Retail Markup
Subject: What Retailers Don't Want You to Know
Subject: Visitors Pass
Subject: Visitors Pass Alert
Subject: 4 foods that KILL fat and 7 food chemicals that CAUSE it
Subject: Visitors Pass Notification
Subject: Warning- You may not be protected by Norton. Update Now.
Subject: Health coverage with or without pre-existing conditions.
Subject: Special 2012 Savings - Eliminate entire phone bill
Subject: DirectBuy Visitors Pass Notification

Please note the use of the Norton brand above is unauthorized and that message is not from Symantec. Rather than providing antivirus software updates, as the message claims, these messages instead often deliver various malware to users.

Symantec will continue to monitor this trend and create additional filters to target these attacks. In addition, Symantec also advises enterprises and consumers to adopt the best practices found in the Symantec Intelligence Report.

Peering Into a Pinterest Scam Toolkit

Pinterest is getting lots of media attention lately. Spammers are also starting to exploit the social-media “pinup” site to make quick money. We have found that there are already lots of ready-to-use tools that make it easy for anyone to start Pinterest scams without much difficulty or technical skill. These tools are so easy that many require only the attacker or scammer to change a couple of lines of code in the available kit. They can literally start a new Pinterest scam within minutes! Such tools come bundled with all the required software: account creator, mass follower tools, mass liker tools, comment posters, etc.

We found a couple of such toolkits on the Internet. They are also available for sale on various forums over the net.

Each tool performs a specific function. For example, the folder Pinterest Content Locker contains a couple of scripts to set up scams. This particular one is a scam technique in which victims visit the website and get a “content locked” message stating that they need to click on the “Pin It” button to unlock the content. Here is an example:

In the php code we can see the following:

The code contains an array of links and it randomly selects one to post on Pinterest. It also uses an “unlocked” cookie to check whether a user has already visited the webpage and clicked on the pin button.

The scam requires that a victim click on the “pin it” button before seeing the content of the web page:

The code then calls a function Clicked. This function opens a new window and takes the user to Pinterest for pinning the content. Then it calls another function Remove_Overlay:

This function sets the cookie “unlocked” with value =1 and expiration date as the current date plus one. This is done so the next time users open the same URL, they will not get the content-locked message.

The code also has the folder viral script, which contains a php file used to display various scams:

The image asks the user to click on the “pin it” button, which posts the URL to Pinterest. Then it asks the user to perform the final step, which leads to an attacker-defined survey URL.

The trick is to get victims to click on the “pin it” button before clicking on “Final Step.” If users first click Final Step, then they see this message:

Let’s look at the code of “Click Here”:

It has a link element with id=”linkos” and whose value is javascript:window.alert(“Please Complete Step 1”).

This value can be modified at runtime after the user has clicked on the “pin it” button, shown in the next image:

When a user clicks “pin it,” it calls the function “PopupCenter, which will post the link to Pinterest and call the function “RevealLink.” This function changes the value of “linkos” as follows:

Another template employs the preceding technique with a different GUI, which seems like the actual Pinterest site:

The template contains an executable named Pinterest Amazon Product Submitter. This is a bot that scrapes Amazon for products based on given keywords and then submits them to Pinterest.

When victims click on a Pinterest post they are redirected to the scammer’s site, which will contain a “redirect script” or “cloaker script” that will simply redirect users to Amazon with the scammer’s affiliate ID. Amazon does not see the referral as Pinterest but rather as the scammer’s custom page–and the scammer can earn money:

There is also a mass bit.ly link generator, which will generate random links for the scam’s URL:

The trick here is to use “?” at the end of the URL so that tool will add a random string after “?” and get different URLs from bit.ly. This technique makes it possible for an attacker to generate as many random URLs as needed, with all pointing to same location.

Another script, “Detecting Mobile Phone Visitors,” can check the user agent of the web browser and determine the device from which a user visits the site.

Depending upon the device, a user can be redirected to a variety of URLs. We have observed that in the case of mobile devices, the redirection often leads to pornographic images which, upon being clicked, open a phone dialer with premium calling numbers. In the case of nonmobile devices, the redirection often leads to various survey scams.

The toolkit also includes “Pinterest follower bot,” which can be used for mass following on Pinterest:

We also find a tool for making mass comments on Pinterest posts:

Another tool generates Pinterest invites:

And would you believe that these tools even come with well-written documentation?

Such toolkits make it very easy for scammers to start their own scam sites and become functional cybercriminals with a minimum of skills and time. They need only change a couple of simple things, such as URLs, and they are ready to go. Almost all these steps–from creating mass Pinterest accounts to mass liking, commenting, and posting–have been automated.

Most of these scams try to lure users with titles such as “get free gift card,””Shocking Video,” “you can not believe it,” etc.:

When users click on such URLs, they will be:

  • Redirected to a survey scam, where scammers earn money when users complete surveys
  • Redirected to Amazon or another site, where scammers can earn money by referral
  • Led to premium calling numbers of mobile devices

Please follow these guidelines to stay safe:

  • Never share your password with anyone. Such tools make it very easy to mass-comment or post from any account.
  • If any web page asks you to “Pin It” before you can see the content, most likely it is a scam
  • If any web page offers you a “free gift card” and redirects you to surveys, most likely it is a scam
  • Be careful while clicking links that have catchy titles like “shocking video,” ”you will not believe it,” ”free give away,” etc. Most of the time, they lead to scams and trouble!

CODENAME: Samurai Skills – Real World Penetration Testing Training

Introduction Yes, there’s another new kid on the block when it comes to penetration testing training, this course is known as CODENAME: Samurai Skills by Ninja-Sec. I’m not going to go and compare this to any other course out there as I think there’s a place for all of them, and they all have pros [...]

Read the full post at darknet.org.uk