Sep16 |
1:21 am (UTC-7) | by
David Sancho (Senior Threat Researcher) |
Today, I received a spammed message that made it through my spam filters, thanks to a few clever tricks.
Right off the bat, the message was only a short sentence with a shortened link. The sentence was written in Spanish so anti-spam filters might have had a harder time with it. That was the first clever trick—conciseness. My teachers already told me some time ago that clear and short is better than long and complicated. They were right and they weren’t even talking about spam.
The second trick was the use of a shortened link. Reputation systems cannot immediately tag shortened URLs as malicious, which helps attackers deliver spam. URL shorteners obfuscate links so that they aren’t readily recognizable. While shortening links is a common practice in the Web 2.0 world, they’re not as useful in email. Twitter limits you to 140 characters but, obviously, an email can be longer.
The shortener’s obfuscation is not really important though because the final target is a Blogspot link. Blogspot, as a free blogging service, has, however, been abused by spammers to redirect to real spammer sites, which sell fake Rolex watches. How on earth did a spammer manage to abuse Blogspot in such a way that it can redirect to other sites? After a quick analysis of the site’s HTML source code, it was obvious that the culprit was a clever use of JavaScript code.
 |
 |
It turns out that Blogspot allows users to insert JavaScript code into their blogs! If that’s not an invitation to abuse the platform, I don’t know what is.
The bottom line is that using different methods, the bad guys can subvert protection systems and slip through the cracks. It also shows how powerful a tool JavaScript is. In the wrong hands, it can be devastating. That’s one more reason to disallow JavaScript in personal communication tools. The potential for abuse doesn’t even end there, as cross-site scripting (XSS), cross-site request forgery, and other Web abuse techniques are built upon JavaScript availability. In my opinion, JavaScript insertion should be restricted in Blogspot and similar Web 2.0 tools.
Share this article |
 |
        |
September 17th, 2010 at 3:38 am
True, no payment or liabilty with blogspot and its going to attract people to abuse it. It ruins it you know?
But even with eBay, or amazon, people are still causing problems even with safe "screening" methods.
That's also true. We're in a global world. Spam usually comes in mangled text strings that resemble English, but there are computers in the hands of non-English speaking people. That's a totally stupid "exploit" if doing the same thing but in French bypasses spam black lists.
September 20th, 2010 at 7:10 am
Well, Google allows a number of empty and passed their sell-by date blogs to clog up the Internet, allowing people to hack these blogs and use them for malicious activities. Blogspot is especially prone to these vulnerabilities as Google won't get its act together and clear up these useless and lifeless blogs.
I have been to the Google forums to complain about this and nobody, not one single employee, from Google even has the decency to reply to the posts and complaints about these abandoned blogs, instead leaving the job to their 'unpaid forum volunteers', who are just regular Internet folk, to field and answer questions.
September 21st, 2010 at 6:03 am
I agree with all of your points and I'd like to raise awareness of this issue. Perhaps if enough of us say it, these companies will pay attention. I said it before and I'll repeat it again: There is no valid reason to allow Javascript insertion in *any* web application: it's just ripe for abuse.
David