Email notifications from file-hosting services such as Dropbox and social networking sites such as Google+ have been used to evade spam filters to drive users to adult dating websites. Symantec has observed spammers abusing these notifications to push users to sites with affiliate payout programs over the last few months.
Evading spam filters through Dropbox and Google+
Sharing files and folders with other Dropbox users is a primary feature of the Dropbox experience. Recently, the service added an option to request files from other users, including those without a Dropbox account. When existing Dropbox users invite others to access a folder, request files or join a team, an email is sent from email@example.com.
Figure 1. Scammers abusing the file request function in Dropbox
Scammers are taking advantage of this functionality in order to evade spam filters. Despite the contents of the message containing a wall of text along with links, the fact that they originate from a Dropbox email address makes it likely to bypass spam filters.
Most of the links we encountered used Google’s short URL service, goo.gl, while some were direct links to landing pages created by the scammers themselves.
Figure 2. Scammers also abuse the Dropbox team and shared folder feature.
We have also observed spam messages reaching inboxes through Google+ notifications. These notifications originate from fake accounts on the social network. The scammers use the fake account to create a public post that includes a photo album of pictures of women that have been posted elsewhere on the internet. This public post is then shared with other Google+ users in order to reach their inboxes. The links included in these notifications use Google’s URL shortener as well as Hootsuite’s ow.ly URL shortener.
Figure 3. Example of adult dating spam being used in Google+ notifications
Adult dating and webcam spam
The driving force behind the abuse of these notifications is to lead users to adult dating websites with the promise of video chats and sex. This starts with the scammers enticing users to click on the link in the body of the spam message. Once a user clicks on one of these links, they are led to landing pages that contain affiliate links or redirect users to another site using an affiliate ID. These affiliate links and redirects lead to adult dating websites.
The end goal for the scammers is to convert recipients of the spam message into users of one of these adult dating websites. If a user signs up, the affiliate is paid for this conversion. For referring a new user to the site, an affiliate could be paid between US$2 and $6 for each conversion.
Figure 4. Landing page contains affiliate links to adult dating site
Figure 5. Affiliate links lead to adult dating sites
Scammers are persistent
We’ve seen scammers use popular dating apps, photo sharing services, and instant messaging applications to spread this type of spam. Driving users to these affiliate-backed adult dating sites is how these scammers monetize their activities. And one thing is for certain: where there is money to be made, scammers will find creative ways to entice users into making them more money.
We shared these scams with Dropbox to help combat the issue, and it informed us that it is aware of the issue and actively monitors the service for evidence of abuse in an effort to detect and prevent this activity. Additionally, the Dropbox abuse team confirmed that it investigated and implemented countermeasures to mitigate the spammers, including quickly shutting down their accounts.
Everyone should be on the lookout for these types of spam emails, as we continue to see a trend towards abusing legitimate notifications from various services. If you do receive a message like the ones in this blog, contact the Dropbox abuse team at firstname.lastname@example.org or the Google abuse team.
Symantec's Email Security products block the emails associated with this campaign.