Instead of embedding a typical URL link, security vendor BitDefender today said the e-mails use Google search result links such as 'www.google.com/pagead/iclk? sa=l&ai=trailhead&num=69803&adurl=http://.......com,' in an attempt to evade url-based spam filters.
The spam botnet directs users to a site offering explicit videos of celebrities including ‘New naked Britney video’ and ‘Paris Hilton New Video Auditioning Topless’ which hosts malware.
Once downloaded and executed, the malicious downloader, dubbed Trojan.Downloader.Exchange.A, downloads and executes more malware.
According to
BitDefender’s Defence Center blog when users inspect the link, they will see a link to Google, however Google in turn redirects to the site specified as parameter in the URL.
“It seems that Google uses these types of URL's to redirect users who click on advertisement served up by Google's AdSense program, however insufficient parameter validation means that malware authors can modify the URL and use it to redirect users to arbitrary sites,” according to the blog.
According to BitDefender, the malware host, RBN has a reputation as a safe haven of spammers and malware authors worldwide.
"BitDefender has detected an increased overlap between spammers and malware authors, a veritable vicious circle where spam is used to spread malware which in turn spreads more spam,” said BitDefender Head of AntiVirus Research, Sorin Dudea. “Fighting one is fighting the other too."
Dubbed celebrity spam, over the past year many celebrities including
Britney Spears and Paris Hilton's names have been used in the technique that aims to dupe users into clicking on malicious links.