Where Has All of the Google Spam Gone?
Since February we have made several mentions of Google Spam and its migration from benign redirects to Canadian Pharmacy sites to malware distribution fake Osama bin Laden videos. We also saw a Storm Worm campaign which alleged to be a video codec that used this same technique.
Since February Google spam had accounted for anywhere between 1-5% of total spam volume, but over the past couple of weeks has all but completely disappeared.
Where did it go?
It seems to have migrated over to Microsoft's Live SkyDrive service. If you are not familiar with SkyDrive, it is a document hosting service being launched by Microsoft, similar to Google Docs.
Here is the basic premise on how this tactic works:
-- Email is received with a link to a document hosted on the SkyDrive service with some sort of social engineering lure as bait. The format of the URL is http://hostname.bay.livefilestore.com/..$very_long_hash_value…/$filename.html (where the hash is some calculated value and $file.html is the name of the hosted file)
-- User clicks the link to file hosted on SkyDrive, which in this case is an HTML file that contains a JavaScript redirect to a pharmacy website
-- Redirected web site is displayed in the user's browser and any background code executed which could include the drive-by injection of malware just as we saw with Google Spam.
The HTML file being hosted on SkyDrive is a simple, one line script :
<html><script language=JavaScript>window.location.replace("hxxp://songkhlong.com")</script></html>
Currently, SkyDrive Spam is accounting for a little over 1% of the total spam that we are seeing in our Threat Operations Center which means that it is currently as prevalent as both phishing and gambling spam. I don't believe that we have seen the last of Google spam, but focus definitely appears to have moved toward Microsoft for the time being.
As a side note, McAfee originally reported seeing large influxes of SkyDrive Spam back in January so SkyDrive spam isn't a new tactic, however it has dramatically increased in prevalence since the dropoff of Google Spam about 2 weeks ago.
*** UPDATE 6/5/2008 4:50pm MDT *** - It appears that Google Docs is also being targeted by this tactic. I just came across the below message (note the link at the bottom) from one of our spamtraps which hit our system yesterday (the hosted doc appears to have been taken offline by the time of this update):
Hi fellow
Is the Rising Cost of Prescrlption Drugsare cause of concern?
The rising cost of Prescrlption drugs may be costing you your health.
In particular, living on a fixedincome.
You can cut your Medicalbilling.
Simple Way to Cut Your Prescrlption Costs optfor Generic.
Genericpharmacy: A Cheaper Effective Alternative
Forget about huge spendings You can save upto 8O%
Hugesaving because the solutions is directly from manufacturer.
hxxp://docs.google.com/View?docid=3Dddsz3hdh_0wwwmrbm3
