Snapchat Spam: Sexy Photos Lead to Compromised Branded Short Domains

A few weeks after our blog post about porn and secret admirer spam targeting Snapchat users, a new spam campaign using sexually suggestive photos and compromised custom URLs is circulating on the photo messaging app.
 

image1_21.png

Figure 1. Snapchat spam
 

Each of these spam messages includes a request to “Add my kik”, along with a specially crafted user name on the Kik instant messaging application for mobile devices.
 

image2_12.png

Figure 2. Snapchat with a digital camera? It’s a trap!
 

After engaging these spam bots on Kik Messenger, this spam campaign is using a type of spam chat bot-script we discovered on Tinder last summer.
 

image3_12.png

Figure 3. Spam bot using a familiar chat script on Kik
 

An interesting discovery from this campaign is the use of compromised custom URLs belonging to small websites and popular brands. Spammers have found a way to create their own links using branded short domains in order to entice users into a false sense of security.
 

image4_6.png

Figure 4. Well-known branded short domain directs users to spam
 

The following are some of the compromised branded short domains we identified:

  • usat.ly (USA Today)
  • cbsloc.al (CBS Local)
  • on.natgeo.com (National Geographic)
  • nyp.st (New York Post)
  • on.mktw.net (Marketwatch)
  • mirr.im (Daily Mirror)
  • red.ht (Red Hat)
  • invstplc.com (Investorplace)
  • mitne.ws (MIT News)

image5_4.png

Figure 5. Stats page for compromised short URL
 

Hidden behind the branded customized URLs are affiliate marketing links directing users to sign-up for adult webcam sites.

Symantec has been working closely with Bitly to investigate and shut down any spammer use of branded short URLs. Bitly has confirmed that some spammers obtained Bitly API keys belonging to various brands. Some of the brands affected used the AddThis social bookmarking service who recently stopped requiring users to reveal their API key in plain text as part of the AddThis website embed code.
 

image6_1.png

Figure 6. Note from AddThis support page regarding API key safety
 

Public exposure of API keys gives anybody the ability to compromise accounts and, in this case, create short URLs using other people's domains.

Users of the AddThis service should refer to this support article on how to secure API keys. Bitly users should follow Bitly API best practices to ensure the security of API keys.

The recent spam campaign targeting Snapchat users should not be surprising. Scammers and spammers will always target new and popular apps—like Snapchat—as soon as they gain a large enough user base. To prevent spam snaps from appearing in your Snapchat feed, Symantec recommends users change their Snapchat privacy settings to receive snaps from “My Friends” only and use caution when receiving unsolicited messages or friend requests.