Skip to content

Spam Campaign Exploits Open Google Redirect


Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

A spam campaign currently underway appears to be abusing a redirection script operated by Google. Redirection scripts aren’t typically left wide open. In fact, when I reported a similar campaign that was exploiting an open redirect in Bing to Microsoft, to their credit, they shut down the redirect the same day. That was two years ago.

Fast forward to today, where the spam messages contain a link to an open redirection script on Google — something that was reported to them a week ago — that continues to do what it’s been programmed to do: push the browser to another Web site. That’s not a problem unless you have a spammer doing exactly what you wouldn’t want them doing: Abusing your redirect, and ruining your reputation in the process.

Google says open redirection, such as what has been abused here, isn’t worthy of its bug bounty program because if a not-smart user can’t figure out what’s going to happen just by looking at the URL, eliminating the redirection scripts that enable malicious behavior won’t fix the problem. So go ahead, take a look at that URL in the screenshot above. It’s just so clear what’s about to happen, right? What do you mean, you can’t decode long strings of seemingly-random characters just by looking at them? I guess we can’t all be Mentats.

Turning down the sarcasm for a moment, it looks like this type of attack is here to stay, for now at least. And it has another unintended consequence: Because Google is such a well-known and trusted domain, Google links often pass through email spam content filters unnoticed. So it’s only natural that criminals would try to exploit the inherent trust of the brand if it’s possible. It’s a fairly effective, low cost way to get spammed links to a target audience.

The email message in which the link arrives had a Subject line of just Konnor Bargo, whatever (or whoever) that is. The body is just the name of a song — in one example, Boston’s 1976 More Than a Feeling. Who knew spammers were such aficionados of ’70s power chord rock?

The redirection using Google is only the first step in the process; You can see the next destination in the screenshot above: (Sounds like some slavic spammer’s getting hammered for the holidays, and in fact, that’s closer to the truth than I initially thought. The domain — if you believe the WHOIS data — is registered to one “Valery Orlova” of Krasnoyarsk, Russia.)

That page, in turn, redirects the browser to a malicious page (named qwe.php) placed on a compromised public server hosting an outdated, vulnerable WordPress plugin. Qwe.php bounces us to an IP address,, assigned to an entity known as Leksim Ltd., an “evil” ISP that caters to criminals’ malicious activities. That IP springs the browser on its final destination,, a server in the IP address space registered to Laveco Ltd., hosting the javascript code (and the executable payload, named vclean.exe) of a rogue antivirus “Fakealert.”

It’s a familiar and, sadly, effective technique. I’ve seen precisely the same attack in use for years.

It’s getting old, fellas. Really old. Time to dream up some new scams or just pack it up and go home.

Of course, the pieces of the Fakealert come over the wire. As I’ve said before, this “antivirus scan” is no more effective than watching a slideshow, because that’s pretty much what it is. Here’s what we see when we reconstruct the Fakealert popup from the wire…

…and here’s what the victim sees…

The Javascript code in the Fakealert window populates the rest of the dialog boxes with text. It also doesn’t take ‘no’ for an answer. Even if you click Cancel in any of the dialog boxes, it pushes the executable down to the browser. The icons for the installer looked like a grey shield yesterday, but today they look like the generic icon of a computer, shown below.

So far no big surprises.

Once launched, the rogue installer executes the following commands:

“C:\WINDOWS\system32\cmd.exe” /c taskkill /f /pid 644 & ping -n 3 127.1 & del /f /q “C:\Documents and Settings\(user)\Desktop\vclean.exe” & start C:\DOCUME~1\(user)\LOCALS~1\APPLIC~1\zlqslww.exe -f

That kills the installer (using its Process ID, which in the example above is 644), sends 3 ICMP pings to the localhost address of the computer it is running on, copies the installer to a randomly-named file in the C:\Documents and Settings\(user)\Local Settings\Application Data folder, deletes the original copy of the installer (which I had saved to the Desktop), then launches the randomly-named copy.

But this season, there is one notable change in the rogue antivirus world: the storied Security Tool moniker seems to have been retired from the league of rogues, and finally morphed into something new: Security Shield.

Its tagline, protect your pc in new level, is a strong predictor of hilariously bad bogus virus definitions and unintentionally funny dire warnings about serious problems on your computer. And it doesn’t fail to deliver. Here’s a detail from the “scan results” pane (click to see the full screen).

And here’s the warning message that pops up when the scan is complete. Remember, this was performed on a completely clean testbed computer.

As you can see, this is a fairly serious attack involving open redirection scripts. I know Google doesn’t seem to understand the risks of leaving these things operational, but the company is not a monolith, and someone who works there has to understand the consequences. Maybe they’ll turn the open redirects off anyway. The only advice I can give, for now, is continue your vigilance about not clicking links in email: Just don’t do it. Not from Google, not from your mom .Not just normal-looking emails you receive from total strangers, but weird-looking ones from your friends and family, too.

%d bloggers like this: