Thursday, July 11, 2013

A Tricky Bit of Spam

Spammers apparently never sleep and so it isn’t long before a new referral spam hits Blogger or an old one appears under a new link.  This particular one is a new one to me and came in as t . co / 1kXhhiBfBE using a shortened Twitter link. So what is it really?

Screenshot - 7_11_2013 , 8_49_44 AM

A misogynistic offer to teach men how to seduce women. Apparently it is a video and the format looks all too familiar. The content is different, but I never did see the presentation due to this:

Screenshot - 7_11_2013 , 8_52_25 AM

Firefox on Ubuntu failed to install when the camera icon was clicked on. Children don’t try this at home! Digging into the page source code revealed the video link claims to be in SWF format but as you can see, nothing happened. If it is malicious code aimed at Windows, it found the wrong operating system to play with.

Screenshot - 7_11_2013 , 8_54_31 AM

Finally, when you try to close or back out of the page, the javascript launches this appeal to the profoundly desperate. I’m sad to say this will actually work on some guys.

UPDATED: This is now coming in as a full address, thetaoofbadass . pw / ?a_aid=517d032416eac which makes it seem even more silly.

Looking at the source code (with no expertise on my part) was revealing in that this appears to be a prefabricated template complete with instructions. A talented coder will glean a lot more than I did, but it shows just how polished the malware and spam pushing has gotten. It is all very professional now and it seems that the weight loss spam used the same form.

22 comments:

Kevin K. said...

Got the same referral on my site today. It's a drag discovering, over time, that my audience isn't quite what I thought it was.

Patrick D. Boone said...

Yeah, it is a kick in the teeth kind of feeling. I still don't comprehend how the spammers think that there are enough blog owners to make money off of them.

George The Boxer Dog said...

Thanks for the education. Like the others it's a little disheartening to have to take those hits off my numbers that I thought were growing. Oh well, my mother loves me!

J F Norris said...

Wow! You really took some risks with all that clicking. I admire what you do in reporting all these spam referral morons, but shouldn't you also be educating your fellow bloggers to ignore them. Really that's the best way to fight spam referral. I never click on the links. NEVER. And I rarely Google the links anymore. This Twitter URL disguise got me, but I'm done with spam referral for the rest of this year.

Patrick D. Boone said...

John - I took no risks at all when I investigated the link. I check them out by starting up a virtual machine (VM) that mimics a full blown computer, but with no access to my real operating system or hard disks. It's a disposable setup that I can simply delete if the VM does get infected. Very few viruses and malware out in the wild are aimed at Linux, so that reduces the odds of trouble quite a bit in the first place. I also only use that particular VM for checking spammers!

Yes it is best to ignore the referrals and most people that find the blog are checking before they click, which why I post about the spammers. A few do visit after the fact, so I suppose a standard disclaimer might be in order for future posts.

Unknown said...

I appreciate this post as well. I'm new to blogging so I don't want to go clickin on stuff I don't know about. They are trixy with the twitter cover though.

Patrick D. Boone said...

Yes they are, to the point of being as bad as Bagginses.

Eve said...

A really useful site. I've clicked on a suspicious link once so far and they seem to visit my blog every day ever since. Is it that bad to search for the addresses of the links on the net? Does it give the spammers any kind of publicity? PS I'm from Poland so it's even weirder that they found me;)

Patrick D. Boone said...

Eve - These spammers hit the entire world from Asia to Europe to the Middle East to the Americas with stops everywhere else. I've created a blog and the first hit on it was by a spammer though no clicking has been done on referrals -- in fact nobody else had seen the blog yet!

Clicking on the visit links in your Blogger statistics does tell them it worked and puts you on a list, but the way they mass harvest blogs it doesn't matter much. But don't click on the suspicious ones since some will try to hijack or infect your PC.

Searching for them on Google, Bing, or DuckDuckGo doesn't really help the spammer, so don't worry about that. It might raise their site in the index, but the only people looking for it will be those suspicious of the site. Hopefully they will find warnings instead.

Linda said...

Dear Patrick, I have this 'Spam' stuck on my Blog .. It is an animated ad for getting the girl! It bothers me it is there and l want it gone ... how do l stop this spam viewing? Can 'l' stop it being there at all?
It is coming in at 12 page views today, 24 yesterday etc... I only found it by seeing what it was in Traffic source. I have one more too .. Plagued by these people :(

Patrick D. Boone said...

Linda - You will keep seeing those hits on your blog if you only use Blogger's statistics to track your visitors. I suggest using an alternative such as Google Analytics or StatCounter.

For Google Analytics: Sign up at http://www.google.com/analytics/ and then get your "analytics web property ID" and paste it into the box at the bottom of your Blogger 'settings - other' page. There are also instructions at Analytics if that doesn't work.

For StatCounter: Sign up at http://statcounter.com/ then look for the "Guided Installation" section on the main page. The first guide happens to be for Blogger!

Both services don't register the spammers, though once in a blue moon I see something like a false referral in Analytics. They also allow you to see more information about your visitors like what browsers they use and what screen resolution.

That helped me decide on a final layout for the blog because I was tempted to go to a wider layout but discovered most people visiting have smaller laptop screens. So lots of uses beyond just seeing where the visitors are from.

Robert Platt Bell said...

I saw the same link on my "Stats" site on blogger.

What is annoying is that you can't shut off the video (and the URL goes to goldfish.com or something) and if you try to close Firefox, a suspicious pop-up comes up saying "are you sure you want to close? You might miss out on these great deals!"

CTRL-ALT-DEL and I dump firefox. I immediately run Windows Defender, Spybot, and Malwarebytes.

These sort of websites that immediately load and play audio and video, trying to "sell" you something, are often covers to trojan loads.

This sort of nonsense should be blocked!

I think the actual "message" is just a cover for a malware download - to get you to listen long enough for a background job to load your computer with a virus or trojan...

Unknown said...

Google owns blogger.com. why are they not doing anything about this sort of thing?

Patrick D. Boone said...

Robert - You could very well be right. I'm thinking of getting Windows XP set up in a virtual machine to find out that kind of thing since Linux OS's don't trigger most malware. Perhaps the Windows clone ReactOS will work in its stead.

Dean - To a limited degree Google already does filter spam, but they have said they don't like to play whack-a-mole with spammer or pirate sites. I think this may be a tacit admission that there are too many for them to handle.

Ã…keHenders said...

Thanks for your post Patrick. The referral lists of my Blog are infested with exactly the links you describe here. I have not clicked the twitter one, nor the newer 'thetaoofbadass' one. Yet, at some point, I did watch the full weight loss video made by some American chiropractor (the referrals coming from this website were apparently used by Russians).

I have fully functioning computer security software, and regularly scan my computer with updated tools such as TDSSKiller, Malwarebytes Antimalware and Kaspersky Virus Removal Tool. Nothing was found at any point.

Do you still think malware (trojan horses) may have been installed on my computer?

Thanks,

Ã…ke

Patrick D. Boone said...

Ake - Your computer is most likely clean and you did the right thing using more than one scanner.

I hope only one stays in memory to scan since conflicts will arise.

So far this looks like a simple attempt to drum up hits. Ads being served can generate money, but I've only recently become aware that spam like this is used to boost the value of reselling a web site. What the maker of the page or domain can claim is high traffic that's guaranteed.

Ã…keHenders said...

Thanks for the explanation Patrick!

I have not scheduled any regular scans in these programs, I just scan once every couple of days manually.

Have you ever come across referral spam from server799- han.de-nserver .de (spaces inserted to prevent accidental clicks)?

They are affiliated with this IP address:

http://www.projecthoneypot.org/ip_85.158.181.28

Thanks,

Ã…ke

Patrick D. Boone said...

Ake - I can't say that I've seen that address. In fact, I haven't seen any referral spam out of Germany as of yet, so it would have been noticed.

Thank you for the link to Project Honey Pot, I'd forgotten about that site! I don't know if I'll participate in it and have been mulling creating a honey pot in a virtual machine. There might be ISP issues with me doing that, so it is only in the speculative stages.

peaceandlonglife said...

Thanks for the suggestion about using Google Analytics.
Its always fun to find new free toys to play with.
Can't seem to connect to statcounter.com.

Patrick D. Boone said...

peace - Glad to be of help.

Analytics isn't perfect but it really is handy at looking at long term trends. I still haven't figured out how to block tracking of my own visits yet, so I filter everything with a second category of location.

peaceandlonglife said...

One method might be to view your own pages in another browser with a script blocker (eg noscript) to prevent the Analytics script from executing.

Patrick D. Boone said...

Peace - True and I used to do that before Gmail, YouTube, and Google Plus were all integrated. At the moment, it isn't that big of a deal since I started using StatCounter to check on daily visits. However, the temptation to play mad scientist has me thinking of enabling Analytics only when I visit their page...