How Many Exclusive Offers Does One Person Need?

July 16, 2013 - By Chris Larsen

I've always had a weakness for the kooky domain names that some Bad Guys register.

Today while I was browsing through some of our spam logs, I found a batch that I had to share. (Actually, several batches...)

 

These domain names were interesting not just because of the "exclusive offers today" cluster they formed, but because the second one was misspelled:

twentyoneexclusiveofferstoday.pw
twenetyeaightexclusiveofferstoday.pw
thirtyexclusiveofferstoday.pw
twentytwoexclusiveofferstoday.pw
nineteenexclusiveofferstoday.pw
twentysixexclusiveofferstoday.pw

Each of these domains was in use for about four hours, and most racked up over a hundred hits while they were active. (The actual total traffic levels would be higher, as these only count the Spam ratings WebPulse returned dynamically for these sites, not the ratings later served out of the database or from cache.)

 

Another interesting batch was the "great finds 4 u" set; here are some examples. (Again, one was misspelled. Is this deliberate, or just sloppy work?)

thridteengreatfinds4u.pw
twelvegreatfinds4u.pw
twentyfivegreatfinds4u.pw

etc.

 

Yet another related set was the "premium offers" group:

seventeenpremiumoffers.pw
fourteenpremiumoffers.pw

etc.

 

While this particular spam network favors .PW domains, as in all these examples, they do branch out into other areas. Today, for example, all of their domains are in the .ME space. And WebPulse continues to flag them as Spam as they come on line.

 

Visiting some of the URLs turned up JPEG "unsubscribe" images, like these:

 

spam unsubscribe image

 

spam unsubscribe image

(And yes, it's interesting that the JPEGs look like they are text, and have links, but they don't, they're just images. And clicking the image didn't do anything, either. But I don't really expect spammer "unsubscribe" pages to do anything, anyway....)

 

--C.L.

@bc_malware_guy