A growing technique being used especially by pill spammers is taking advantage of a trick abusing Google’s URL service.
In yesterday’s spam review, we had 4,778 messages that contained this new form of Google URL.

The spammer’s objective is to mask the actual location of their spam-advertised domain by advertising a link to Google. Clicking on the Google link is not a “search” but rather a “referral” similar to how Google tracks which advertisement hoster should get credit for the advertisement that has been clicked on. Here’s an example of one of the URLs (with a line feed splitting the URL after the “q=”.

https://www.google.com/url?q=

http%3A%2F%2F%61%62%73en%74%2Exv%69%73.%72%75%2F&sa=D&usg=AFQjCNF0tD_e2pf9nHzz0AU6MMOpQFjRzw

What you see in the part after the “q=” is an ASCII encoded string, mixed with regular characters. The portion after the “usg=” is what we would normally think of as the tracking ID for an advertisement, and may, in fact, being used in that way, although we do not have confirmation of that yet. Let’s decode this one:

%3A = :
%2F%2F = //
%61 = a
%62 = b
&73 = s
en doesn’t change, so so far we have “http://absen”
%74 = t
%2E = .
xv doesn’t change, so now we have “http://absent.xv”
%69 = i
&73 = s
.
%72 = r
&75 = u
%2F = / … which gives us “http://absent.xvis.ru/” as our advertised URL.

What is located at that address? A Canadian Health & Care Mall illegal pills site.

Read the Full Article: Source – Garwarner
http://garwarner.blogspot.nl/2014/09/spammers-use-google-redirection-to.html

source not found