Referer Spam Branches Out
Posted by rekle on Mar 09 2006 in Web
These spammers are becoming downright criminal in their actions. Here's a few new ones I've noticed in my logs:
- Our friend cyber-search.biz, who's been feeding this 33.WMF file for the last few weeks is now feeding a different WMF file, named 'cyber.WMF'. Whether or not this is the same file with a different name, I don't know. I am still suspicious that this WMF file is an exploit of the Windows WMF processing bug. I see this cyber-search.biz site feeding these WMF files all over the place.
- It looks like some spammers are taking advantage of some badly written web sites to disguise the URL of their sites. I'm seeing entries in the log file where it's what looks like a legitimate site that is using HTML frames. Their frame page is written to take a parameter that passes in the URL of the web site to display in the frame. The spammers are then using this parameter to essentially wrap their URL inside a frameset from the legitimate site. This leads your browser to display the URL of the legit site, but show the content of the spammer site. Plus, if you attempt to block the site, you end up blocking the legit site and not the spammer site.
- The spammers are heavily targeting teens as a way of compromising the teen's computers. I see many links from site with the word 'teen' in the domain name. The names have harmless sounding domains like 'teensspace.com' (which sounds suspiciously similar to the very popular teen site 'myspace.com'), 'teen-search.info', etc. Many of these sites link to that infamous 33.WMF file that cyber-search.biz has been feeding. A teen clicks on these sites, loads that 33.WMF file, and ends up unknowningly compromising their computer for the spammer/criminal's use.
- The spammers are now using false 'search engine' sites to redirect people toward this 33.WMF file. I see MANY 'refering searches' in my logs as coming from these bogus sites. This is just a different way of the bloggers trying to force their way into your site so you can display their links for the unsuspecting to click on.