Microsoft’s SkyDrive beta abused by spammers.
Tuesday January 8, 2008 at 8:27 am CST
Posted by Chris Barton, Research Scientist and Artemis Geek
“If its free and worth abusing, discovery time is the variable these days.”
(Or rather… spammers are the bane of free services…)
Our labs trapped many thousands of spam overnight that are abusing the Windows Live SkyDrive Beta service launched in August last year (or rather it’s the new name for Windows Live Folders…). The service allows you to upload up to 1Gb of files and share them with anyone via weblinks. The trapped pill spam promises the usual assurances:
We sell only fda prescription medicine through our fully licensed
pharmacy. orders are overseen by licensed accredited physicians.http://hostname.bay.livefilestore.com/..Long-url…/adv-filename.html
{english textual bayes poison}
The payload is an html file with just one line of HTML at the moment, that redirects your browser to the current incarnation of spammers pill-serv:
<html><body><script language=JavaScript>window.location.replace(
"http://top10epharms.com")</script></body></html>
We’d expect this to change to obscured script or meta redirection in the not to distant future.
It’s not just spam either, the technique has also been spotted in the labs on blogspot splogs too.
So what makes services like these worth abusing and attractive to spammers?
- Unique urls
- Domains relatively safe from blacklisting
- Link longevity
- abuse handling issues
- Features – host *almost anything*
- Great Price
- Someone else pays the hosting costs
It’s a great value proposition for abuse isn’t it? Well not really, it the same proposition as just about ever other file sharing service out there, this one just got hit, big, suddenly. Another interesting point is the number of times we trapped each url was interestingly low for such a big campaign, I’d therefore estimate they had tens of thousands of files uploaded. We’ve seen a few small scale spam using SkyDrive service dating back to November last year but were on an much smaller scale to last nights campaign. I’m sure it won’t be too long before it’s used to host other unwelcome content types I’d like to see more of these online file storage offerings malware scanning downloads too.
They have a pretty good terms of service document that this spammer is clearly in breach of. I will be honest and say that I am not going to fill out an online abuse form for every individual url though! SkyDrive folks – feel free to get in touch if you’ve not had enough reports 
If you try SkyDrive be sure to leave feedback and suggestions here and here, it looks very neat so far.
November 22nd, 2008 at 00:02
[...] McAfee(1 月),英国安全公司 Marshal(10 月)也都曾提到过这个问题。Cox [...]
November 22nd, 2008 at 00:34
[...] with spam hosted on SkyDrive accounts recently as well, according to Kreb. In January, McAfee wrote about it in a blog post of their own, and last month UK security firm Marshal posted as [...]
November 22nd, 2008 at 12:24
[...] Labs has been warning about this since january. The provide a list of features that make this service so attractive to [...]
November 23rd, 2008 at 03:50
[...] McAfee(1 月),英国安全公司 Marshal(10 月)也都曾提到过这个问题。Cox [...]
November 25th, 2008 at 21:53
[...] McAfee(1 月),英国安全公司 Marshal(10 月)也都曾提到过这个问题。Cox [...]
January 7th, 2009 at 09:47
[...] A year ago I blogged about MSN Spaces beta with a very similar issue… I even spoke to some very nice folks there about it, and a year on it’s still being abused by spammers [ spamhaus awared ]. I trust Google would like to appear less evil and will take more decisive action. I’d suggest mashing code and safebrowsing together but it appears not to find anything wrong with the crackable links, though it did catch on after some redirection took place. [...]
October 17th, 2009 at 20:35
[...] McAfee(1 月),英国安全公司 Marshal(10 月)也都曾提到过这个问题。Cox [...]