Andrew Conway out of San Francisco-based Cloudmark, an organization that provides security against email threats, accounts that at this time, over fifty percent of the short links blacklisted by them use Twitter’s service.
He explained how the spam utilizing t.co short links will come in waves that last between four and six weeks, one reason for this most likely being the period of time necessary for Twitter to recognize the attack and modify its abuse filters to avoid users from reaching malicious pages.
As outlined by Conway, the analysis of a sample of 1,200 t.co links gathered in a single week (July 22 – July 29) from emails noted as possible spam to Cloudmark’s systems said that only 59 of them (about 5%) were known as malicious by Twitter and access to the webpages they where directed to was blocked.
81 of the links (7%) were properly used and sent to risk-free destinations; but many of them, 1,060 links making up 88%, were functional and redirected to sites that had been previously marked as spam by Cloudmark; the majority of them are Russian domains.
“The t.co link redirects to a URL on a compromised domain, and that in turn uses a REFRESH meta tag to redirect to the spam landing page. This dual layer of redirection seems to be fooling Twitter. Compromised domains generally have good reputation and legitimate content on other links, so they are less likely to be blocked outright, but the spammer can use multiple malicious URLs on each one to redirect to his ultimate landing page,” stated Conway in a blog post.
All of this definitely makes the malicious campaign slightly tougher to discover also it’s much harder to interrupt its activity by blacklisting the t.co links taking users to the destinations with phony products.