Placeblogger And Others Lead To Imgwebsearch Spam
Over the weekend I was playing around with the iPad application SkyGrid to read the latest news stories on particular subjects. In one of my feeds that I setup for mobile security I saw a story with the title "GvHpMqAVt." From the title I immediately suspected the story as spam (can't seem to go anywhere these days without running into some type of spam on the web). The page has nothing on Blackberry or mobile security which was my topic on SkyGrid - but there was one link on the page for "streaming porn on blackberry pearl" - not really the subject I was looking for. The page is a spam advertisement page to multiple affiliate pages advertising various porn and dating sites. Figured I'd write a brief blog post to detail this campaign:
Placeblogger spam page:
Clicking any of the links takes you to the affiliate page (this one is setup on Quogger but there are a large number of social media sites used for this):
It didn't take long from here to start to unravel the web of spam and affiliate pages setup to monetize porn and dating service pay-per-clicks / pay-per-purchase.
Some Placeblogger spam pages:
The list goes on...
This Google search identifies about 300 or so for example.
Some Affiliate / Advertisement pages:
~ snip ~
Note: there are a lot more affiliate pages - about 10 per Placeblogger spam page. Most of these are profile pages on a variety of social media sites.
Most of the affiliate links direct the visitor through imgwebsearch.com. A search for this site uncovers a large number of spam links to a variety of campaigns including: porn/dating, pharma, casinos, loans, replicas, etc., etc. Imgwebsearch spam shows up everywhere - yes, including Facebook. An example of imgwebsearch pharma spam on Facebook:
Actually, this Google search shows over 600 some related spam pages on Facebook.
How does this work?
Here is an example of one such related spammer detected via Project HoneyPot. In this case the spammer / spam group seems to have one or more netblocks (184.108.40.206/24 in Latvia for example) with the hosts setup to spider the web and post comment spam to sites (infected machines / bots may be used or rented out for this purpose as well). In this case all of the spammer's links were through imgwebsearch. The pool of source IP addresses for spidering / spamming and the changing of the user-agent is used to evade detection. This relatively simple spam operation could be home grown by the spammer(s), or there are relatively inexpensive tools such as XRumer for purchase to facilitate this type of spam (also used for SEO). This and other tools provide account creation / CAPTCHA bypass to be able to spam to sites that require account / login. Affiliate programs (aka Partnerka in Russian slang) -- in this case it appears to be imgwebsearch -- pay these spammers from anywhere from a few cents per click, a few dollars per sign-up/purchase, or in some cases tens of dollars per install (for example, the FakeAV campaigns). There is a good paper from Dmitry Samosseiko from last year's Virus Bulletin that details the Partnerka.