Endpoint Protection

Scammers peddle adult dating, webcam spam through legitimate email notifications 

12-17-2015 09:01 AM

dropbox-spam-header.jpg

Email notifications from file-hosting services such as Dropbox and social networking sites such as Google+ have been used to evade spam filters to drive users to adult dating websites. Symantec has observed spammers abusing these notifications to push users to sites with affiliate payout programs over the last few months.

Evading spam filters through Dropbox and Google+
Sharing files and folders with other Dropbox users is a primary feature of the Dropbox experience. Recently, the service added an option to request files from other users, including those without a Dropbox account. When existing Dropbox users invite others to access a folder, request files or join a team, an email is sent from no-reply@dropbox.com.

sexy_dropbox_invite_0.png
Figure 1. Scammers abusing the file request function in Dropbox

Scammers are taking advantage of this functionality in order to evade spam filters. Despite the contents of the message containing a wall of text along with links, the fact that they originate from a Dropbox email address makes it likely to bypass spam filters.

Most of the links we encountered used Google’s short URL service, goo.gl, while some were direct links to landing pages created by the scammers themselves.

dropbox_team_and_shared_folder_0.png
Figure 2. Scammers also abuse the Dropbox team and shared folder feature.

We have also observed spam messages reaching inboxes through Google+ notifications. These notifications originate from fake accounts on the social network. The scammers use the fake account to create a public post that includes a photo album of pictures of women that have been posted elsewhere on the internet. This public post is then shared with other Google+ users in order to reach their inboxes. The links included in these notifications use Google’s URL shortener as well as Hootsuite’s ow.ly URL shortener.

googleplus_spam_post_1.png
Figure 3. Example of adult dating spam being used in Google+ notifications

Adult dating and webcam spam
The driving force behind the abuse of these notifications is to lead users to adult dating websites with the promise of video chats and sex. This starts with the scammers enticing users to click on the link in the body of the spam message. Once a user clicks on one of these links, they are led to landing pages that contain affiliate links or redirect users to another site using an affiliate ID. These affiliate links and redirects lead to adult dating websites.

The end goal for the scammers is to convert recipients of the spam message into users of one of these adult dating websites. If a user signs up, the affiliate is paid for this conversion. For referring a new user to the site, an affiliate could be paid between US$2 and $6 for each conversion.

adult_dating_0.png
Figure 4. Landing page contains affiliate links to adult dating site

affiliate_dating_site_0.png
Figure 5. Affiliate links lead to adult dating sites

Scammers are persistent
We’ve seen scammers use popular dating apps, photo sharing services, and instant messaging applications to spread this type of spam. Driving users to these affiliate-backed adult dating sites is how these scammers monetize their activities. And one thing is for certain: where there is money to be made, scammers will find creative ways to entice users into making them more money.

We shared these scams with Dropbox to help combat the issue, and it informed us that it is aware of the issue and actively monitors the service for evidence of abuse in an effort to detect and prevent this activity. Additionally, the Dropbox abuse team confirmed that it investigated and implemented countermeasures to mitigate the spammers, including quickly shutting down their accounts.

Everyone should be on the lookout for these types of spam emails, as we continue to see a trend towards abusing legitimate notifications from various services. If you do receive a message like the ones in this blog, contact the Dropbox abuse team at abuse@dropbox.com or the Google abuse team.

Protection
Symantec's Email Security products block the emails associated with this campaign.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.