Symantec has published its July 2010 MessageLabs Intelligence Report. Analysis reveals that the percentage of spam containing shortened hyperlinks has increased significantly over the last year. Shortened URLs enable more spam to breach traditional spam defences such as reputation based filters, and allows for smarter multi-step tactics to deceive victims.
Spam containing shortened hyperlinks hit a one day peak of 18 percent, or 23.4 billion spam emails, doubling last year’s peak levels when spam with shortened hyperlinks accounted for 9.3 percent of spam.
In addition to higher peak levels, average daily values also show a significant increase in the use of this tactic. In the second quarter of 2009 there was only a single day where when shortened hyperlinks appeared in more than 1 in 200 spam messages.
In the second quarter of 2010 there were 43 days when at least 1 in 200 spam messages contained shortened hyperlinks, and 10 days where at least 5% of all spam contained these links.
Incresed difficulty for spam-blocking filters
“As far as spammers are concerned, any tactics that make it harder to block their spam emails are going to be exploited,” said Paul Wood, MessageLabs Intelligence Senior Analyst, Symantec Hosted Services.
When spammers include a shortened URL in spam messages, these shortened hyperlinks contain reputable and legitimate domains, making it harder for traditional anti-spam filters to identify the messages as spam based on the reputation of the domains found in the spam emails.
Source of shortened hyperlinks elusive
Further analysis of spam containing shortened URLs revealed that the Storm botnet, which returned to the threat landscape in May 2010, is responsible for the greatest volume of botnet spam containing short hyperlinks, accounting for 11.8 percent of all spam containing shortened hyperlinks. A large proportion of short URL spam this quarter also originates from other sources, including unidentified botnets.