Beware of Spam Links that Look Like File Extensions!

Since mid-August, Symantec have been observing spam samples containing links with file extensions in the URLs. If these links are clicked they do not open any files, instead they redirect the user to an online pharmacy website.  The following file extensions are used in the URLs:

  • .asp
  • .doc
  • .htm
  • .html
  • .mp3
  • .mpeg
  • .pdf
  • .php
  • .txt

The following URLs were seen in spam samples examined by Symantec:            

  • http:// [REMOVED].be/HOOK2_txt
  • http:// [REMOVED].com.br/897110_doc
  • http:// [REMOVED].com/677115_php
  • http:// [REMOVED].com/686112_asp
  • http:// [REMOVED].ru/706060_mp3
  • http:// [REMOVED].ru/HOOK2_htm
  • http:// [REMOVED].ru/vern_html
  • http://[REMOVED].org/521862_pdf
  • http:// [REMOVED].com/139097_mpeg

Spam email examples:

The links redirect users to the following online pharmacy website:

The domain was found to be registered in Russia and its servers were located in Hong Kong and Ukraine. In order to populate these types of attacks, also known as RSS news-feed spam attacks, spammers use news feeds in the spam email. Symantec has previously  published a blog on these types of attacks. Interestingly, they have used the recent news of the death of legendary astronaut Neil Armstrong in this spam sample.

The intention of using these particular file extensions could be to evade content filters, which typically look for other types of file extensions. Another reason could be to fool users who would expect the links to open the relevant file type. Symantec’s anti-spam technologies identify all such tricks and protect users from annoying spam emails. We advise users to keep their security software up-to-date, in order to be protected from potential online scams .