By Dave Michmerhuizen – Research Scientist, Shawn Anderson – Engineer
Spammers are always on the lookout for new ways to disguise themselves on the way into your inbox, and recently they've found a new trick that lets them leverage the most trusted brand on the internet – Google. Specifically, they are hiding behind Google's language translation services.
Our Barracuda Labs spam honeypots are turning up a variety of large volume spam attacks that use google.com/translate to whitewash links in an attempt to evade automatic detection.
Now you probably wouldn't click on this, (although someone must be clicking on them because these spammers show no signs of giving up.) The thing is, for pharmacy spammers, getting clicks is battle number 2. Battle number 1 is just getting the spam into your inbox, and that's where this spam gets interesting.
A basic strategy for blocking spam that contains links is to consider the reputation and destination of the links found in the message. Spammers fight back by looking for open url redirectors and poorly maintained URL shorteners that they can hide behind. One of the primary reasons that small weakly defended websites are hacked is to install simple redirect code – the spammer takes advantage of the good reputation of the website to evade spam filters, and the hacked website redirects anyone who clicks on the message links to the website that the spammer is promoting.
In the case above, the spammer tried to evade detection by using a one-two punch of a poorly maintained url shortener and a url redirector that nobody thinks of as a url redirector – Google translate.
So the link looks like it goes to google.com. You might think nothing bad could happen there, but what page is this link asking to translate?
What you see here is the URL encoded representation of y.ahoo.it – a URL shortener offered by the fine folks at Yahoo. URL encoding this domain makes it harder for a program examining the initial message to determine the ultimate destination of the link.
Clicking on the link sends us to Google translate. Google translate fetches the shortened URL and follows it to playandstudy.org, a hacked wordpress-based website in France. Playandstudy.org returns Russian text that translates to “Redirected to the requested page…” and Google translate displays that on it's page in an iframe.
Once this text is displayed, Google translate then executes code from playandstudy.org that manages to break out out of the iframe and redirect the browser to the ultimate landing page, a rogue pharmacy website.
We've tested many of these links in the lab, and it appears that Google may be implementing code that defeats framebusting, but our tests are inconclusive. Some links now redirect to google.com, while others still redirect to pharmacy sites. We certainly hope this technique is not discovered by malware distributors.
In any case, it's worthwhile to know that spammers are taking these extreme steps to hide what they're doing, and no matter how good your spam filtering solution you have to be especially aware of emailed links. In short, don't click on them.