Login
By James Murty

spam of the week #2

This item appears to be a classic click-through scam spam.

The hapless user gets some mail, thinks “yay, free mac!”, and after clicking on anything in the mail their web browser is launched and is redirected all over the place. Presumably each of the redirects represents a false click on some advertising or something somewhere which brings in revenue for the spammer.


Highslide JS
Click to enlarge the initial spam.


Highslide JS
Click to enlarge the page seen after the initial couple of redirects.


Highslide JS
Click to enlarge the final webpage that is displayed. Kinda ironic don’t you think?

As an exercise I traced all of the redirects and meta refreshes in order.

  1. After clicking on the spam, the following URL is requested by the users browser:
http://r.rockysoils.com/c/34458/18377/82890422.html?/<br></br>
dummy@email.address```
  
 Which results in the first 302 redirect:

HTTP/1.1 302 Moved Temporarily


Location: http://publishers.clickbooth.com/ez/bkdgyfnggey/


&dp=1537637&/dummy@email.address```
2. That redirect:

http://publishers.clickbooth.com/ez/bkdgyfnggey/<br></br>
&dp=1537637&/dummy@email.address```
  
 Results in another:

HTTP/1.1 301 Moved Permanently


Location: http://publishers.clickbooth.com/geo_tracking_redirect.html?e=dowymcrbxx```
3. That redirect:
http://publishers.clickbooth.com/geo_tracking_redirect.html?e=clqnspiekk
Brings up the page shown in the second image above, and contains a meta refresh command:
4. The meta refresh request:
http://publishers.clickbooth.com/sw/12072/CD8940/
Brings up another web page which sets 2 cookie and then triggers another meta refresh:
5. This meta refresh request:
http://www.freepay.com/intl.aspx?x=5284
Results in a 302 redirect:

HTTP/1.1 302 Found<br></br>
Location: http://offers.gratisnetwork.com/rotator/CD114/18```
6. That redirect:  
`http://offers.gratisnetwork.com/rotator/CD114/18`  
 results in another 302 redirect, and sets four more cookies
7. `http://offers.gratisnetwork.com/sw/1510/CD114/&p=18`  
 Sets 2 more cookies, and contains another meta refresh
8. `http://ab.vcmedia.com/c/s=64718/c=107930/`  
 returns another 302 redirect
9. `http://a.websponsors.com/c/s=64718/c=107930/`  
 returns another 302 redirect
10. Which finally gets us to the last page:  
`http://ShoppersSavingCenter.biz/?config=2073&src=WC-64718aaa:107930`  
 which is shown in image number 3
Previous

spam of the week #1

 Next

web 2.0 is cool