Intro
I’ve been seeing an uptick in brief spams which provide links to a very legitimate site: the Google search engine!
The details
I’ve been getting a lot – several per day – that look like this one:
From: [email protected] To: [email protected] Subject: Legal drugs forum Legalize!!! Read about strongest legal drugs in the world, and buy it online: https://www.google.com/url?q=http%3A%2F%2F%77%77%77.le%67a%6C%69z%65r%2EDRJinfo%2F&sa=D&usg=AFQjCNG0coaOvXJMkOn0nEMvP-dl11XKnQ Attention: MDMB(N)-BZ-F is not allowed now! |
Here’s another example which appears to be a different spam campaign using the same technique which I received several weeks after initially posting this article:
From: [email protected] Subject: Turn your bedroom into paradise of satisfaction https://www.google.com/url?q=http%3A%2F%2F%73lip.h%65al%69DRJn%67%73%65%63%75re%65%73hop.%65%75%2F&sa=D&usg=AFQjCNFeP_XevUiXV-m-DtxAJVi3SMRtVQ |
I’ve changed the links slightly so no one gets in trouble by actually following it.
The link is changed each time and so is the sender.
How to report this?
I have been reporting these to Google directly on their page to Report malicious software, https://www.google.com/safebrowsing/report_badware/.
I have reported five to then of these and have never received a response from Google. It seems the best we can hope for is that Google engineers are sufficiently annoyed by my reports that they begin to agree hey there’s a problem here and maybe people will think less of us if we continue to do nothing.
Why this is particularly devastating
Because the malware link uses this combination:
– https (which encrypts everything)
– a very legitimate web site, www.google.com
– malware
It is very tricky to defeat. Many URL filters, e.g., those used on explicit proxies, cannot peer into https traffic and so have to make a single judgment for a whole site, even one as complicated as www.google.com. Either it is all good, or it is all bad. Who would have the courage to categorize Google as a source of malware and hence block all users from it?
So these perpetrators have engaged in what amounts to link laundering. Some of the URI is encoded in hex, I suppose to help avoid detection and create many valid patterns that are hard for Google to stamp out.
This started over a month ago and is stronger than ever today, so we know at press time Google, in spite of all its advanced technology, does not have a handle on it.
If you see something similar I suggest to report it directly to Google. They may need a little more motivation than I can single-handedly provide them.
Conclusion
Link laundering is now an avenue to sneak spam through. It uses links that point to the Google search engine itself. It seems to have eluded them or been under their radar in spite of many reports. Let’s hope the bad guys don’t have the upper hand permanently.
Appendix
If you are interested in how the URL looks decoded I figured there would be decoders available on the Internet and indeed there are. For instance at http://meyerweb.com/eric/tools/dencoder/
So the URL mentioned above decodes as (again just slightly obfuscated to not make good people do bad things by mistake:
https://www.google.com/url?q=http://www.legalizerDRJ.info/&sa=D&usg=AFQjCNG0coaOvXJMkOn0nEMvP-dl11XKnQ
References
enom-originated spam is discussed here.