Spammers use free Web services to shield links

Spammers are abusing free Web services to make their spam links look more legitimate, according to e-mail security vendor MessageLabs.

One of the services, a photo-hosting site called ImageShack, lets people upload different types of photo formats, including Flash files, said Paul Wood, a senior analyst with MessageLabs.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

Flash files, which have the extension ".swf", can be used for animated graphics and can also be used to automatically redirect people to other Web sites. That feature can be abused.

The attack involving ImageShack works like this: Spammers upload a Flash file then copy the link for that file -- which comes from ImageShack's domain -- in a spam message. If the link is followed, the Flash file redirects the victim to a spam site, Wood said.

The technique offers an advantage for spammers. Antispam software will often scan links in e-mail and block those e-mails with suspicious-looking ones. But ImageShack's domain is considered to have a good reputation, so messages won't be blocked.

"If you start blocking on domain name only, you can incur a lot of collateral damage," Wood said.

Another more dangerous variation on this theme is a spam e-mail promoting a video. If the link is clicked, a Flash file redirects the victim to a site where a pop-up window immediately implores the user to download a codec supposedly needed to play the video file. Invariably, the file isn't a codec but some piece of malicious software.

Even if the spam link in the e-mail appears to be OK, there are many other ways to tell if a message is spam.

The header -- or batch of information that shows where an e-mail came from and the path it followed -- can be used to tell if it came from a domain that has been prone to abuse and subsequently blocked, Wood said.

Google's Picasa photo service and Yahoo's Flickr don't allow Flash files. But that hasn't exempted Picasa from abuse. Spammers use Picasa to host images, which are then incorporated into spam messages, Wood said.

Again, spammers are piggy backing on Google's good reputation. Images that are hosted on less reputable services or domains have a greater chance of being automatically blocked by security programs.

MessageLabs has also seen a similar type of abuse of Microsoft's Windows Live SkyDrive, which is an online file storage service, Wood said.

The scenario is almost the same: The link is connected with a file on SkyDrive, but then the link performs an HTML redirect to a dodgy site. SkyDrive also allows Flash files to be uploaded, offering another possible way to attack.