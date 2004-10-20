Spammers are using a new technique of generating URLs to evade detection by humans and spam filters alike.

This technique comprises adding random, unused text bits to shortened links, to disguise them as full-sized URLs and bypass the scrutiny of email gateways.

[...] A URL or URI consists of multiple parts, with some being optional. This is specified by an industry-standard called RFC3986.

[...] A URL or an IP address can be represented in different ways. Attackers are abusing these variations in IP/URL formats allowed by the IETF's specifications to cause "semantic attacks."

The URL schema allows for use of another part called "Authority." This part allows you to specify "userinfo"— which is something like username, within the URL between the protocol and the host parts.

For example, this could look like, https://ax@bleepingcomputer.com/tag/security

But because "userinfo" is rarely used especially with HTTP(S) URLs, it is often ignored by the server, and navigating to the URL above would still lead you to https://www.bleepingcomputer.com/tag/security/.

[...] In the case of this particular spam campaign, the destinations it connects to are all known websites, such as the j.mp URL shortener service, Pastebin.com, etc.

But, the structure of the hardcoded URLs includes a gibberish "userinfo" part right before the domain name, to give off the impression these are different URLs.

Therefore, for example, if an enterprise security product was previously blocking the malicious link https://j[.]mp/kassaasdskdd it isn't clear if the product would also interpret something like https://nonsensical-text@j[.]mp/kassaasdskdd in the same manner and block it too.

[...] A list of Indicators of Compromise (IOCs) and Trustwave's detailed findings are provided on their blog.