Researchers at Symantec, who discovered the URL-shortening websites this month, say they use the ".info." domain. "However, unlike the URL shortening sites we discovered in May, these sites are effectively public URL shortening sites. Anyone can create a shortened URL on these sites; the form to do so is also publicly available," the Symantec Intelligence Report for October 2011 says. "Spammers are using a free, open source URL shortening scripts to operate these sites. At the time of writing, 87 different domains were identified as being used in this fashion."
It works like this: Spammers create their own shortened URLs with their own service and then spew their spam with those URLs. Their email lures range from, "It's a long time since I saw you last!" and, "It's a good thing you came," and include the shortened URL, which redirects users duped into clicking on it to a pharmaceutical spam site.
According to Symantec, the domains for the spammers' URL-shortening sites include Moscow-based contacts, and are hosted by a U.K. subsidiary "of a large hosting company," which Symantec has alerted about the ruse.
So why the public URL-shortening sites? "Perhaps this is simply due to laziness on the spammers' part, or perhaps an attempt to make the site seem more legitimate," according to Symantec.
Paul Wood, senior intelligence analyst for Symantec, says anyone who uses the spam gang's URL-shortening services rather than a legitimate one is at risk of having their email flagged as spam. "The only purpose these domains have thus far been used for is in spam emails. We have not seen a legitimate use for them yet," Wood says.
Meanwhile, the use of legitimate URL-shortening services is still under way, although not as widely as earlier this year, according to Symantec. A full copy of the report is available here.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.