The idea has indeed taken flight. Previously, we had encountered spam links playing around with the Google ranking system through the use of its “I’m Feeling Lucky” functionality. Now, it’s AOL search’s turn.

The following link:

http:// search.aol.com/%61%6F%6C/%72%65%64%69%72?%63%6C%69%
63%6B%65%64I%74%65%6DURN=%68%74%74%70%3A//zaWlGTLKvOtgvxi
TSLxWvcoTt%2E%6B%6F%63%6E%6F%77%61%2E%63%6F%6D

looks like this when de-obfuscated:

http:// search.aol.com/aol/redir?clickedItemURN=http://{BLOCKED}TLKv
OtgvxiTSLxWvcoTt.kocnowa.com

And in fact leads to the following site:

The link turns out to be taking advantage of the functionality of open redirectors. An open redirector is an application that redirects users to target Web sites automatically (without the need for verification). Redirection by itself is a useful tool for Web site admins who do not want to ‘lose their audience.’ If a user enters a URL that is predictably related (but not exactly) to the site she is looking for, the browser can redirect her to the site itself or a page in the site that can help her find some answers.

But as we realize time and again, tools can be used for both good and bad results. This is the case with redirectors. Since the specially-crafted link starts off with http://search.aol.com while the rest of the URL is obfuscated, spammers can hope to evade spam filters. They only have to make sure that the spam site is the only site referred to in the formulated AOL search result link. This tactic, has in fact, been around for quite some time.

Regardless of the motivation, it remains clear that anything used to mislead a user is a violation of his rights and privacy. Users should double-check the URL of the sites they are visiting time and again to make sure they do not fall victim to similar attacks.

Information provided by Senior Threat Analyst Joey Costoya