Dropbox and Google Plus notifications being used as mules for adult dating spam
Thu 17 Dec 2015
A new report from Symantec security researchers shows that automated notification processes built into the workflows of Dropbox and Google+ are being exploited by spammers to ferry pornography-related missives straight through even the strictest spam filter.
Senior Security Response Manager Satnam Narang posted screenshots of the messages (see left), which are usually invitations to pornographic websites, adult dating websites and live sex-cam services. He explains that Dropbox’s recent facility for requesting files from other users has proved a fruitful source of spam-filter evasion, since such messages can even be sent to those who do not have a Dropbox account – which in itself is as easy to get, multiple times, as a spammer can generate valid email addresses with which to sign up to the service. Narang writes ‘Despite the contents of the message containing a wall of text along with links, the fact that they originate from a Dropbox email address makes it likely to bypass spam filters.’
The technique is also being exploited in Google+. Spammers are sending notifications from ‘fake’ domains (i.e. disposable short term G+ accounts) which relate to public posts they have made, usually featuring a gallery of pictures of women harvested from the internet. Sharing it with G+ users disseminates the messages – which are usually steamy invitations from bogus female correspondents – reliably past network and local filters.
To further avoid triggering spam filters which might question pornographic domain links – even when the mail has such trusted provenance – the spammers use Google’s URL-shortening service, https://goo.gl/. The spammers are also using the Hootsuite-based http://ow.ly/ URL shortener.
It’s a fairly ingenious Trojan horse method of delivering the payload, and one which the Symantec reports states that Dropbox at least intends to address soon. After twenty years of war with the spammers, some headway has been made – the eclipsing of email by messaging apps has closed off one vector for the smut-peddlers, who nonetheless enjoyed some years of abusing direct messaging applications in Windows to send overwrought invitations direct to Windows desktops. The obscurer avenues of opportunity have become more attractive in recent years, including the bizarre advent of referrer spam, which spoofs visits to a website which runs Google Analytics in order to draw webmasters to SEO and site-monetising URLs.