Application security, Incident Response, Malware, TDR, Vulnerability Management

Spammers use bots to create fake Google Blogger sites

Spammers have developed automated techniques to create fake pages on Google's Blogger service, according to a researcher at security vendor Websense.


The attack on Google's Blogger – following in the wake of similar exploits on other online services -- points out the growing ineffectiveness of systems designed to stop mass registration of online accounts, the researcher asserts.

"Spammers have managed to create automated bots that are capable of not only signing up and creating Blogger accounts (using spammer account credentials), but also to use these accounts as re-directors [sic] and doorway pages for advertising their products and services," Websense security researcher Sumeet Prasad wrote in a blog post available here.

In their attacks, the culprits are sending specially programmed code to PCs that are members of their botnets, Prasad said. The instructions tell the PCs in the botnet how to register a free account on Blogger and how to bypass Google's CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) system. This is the skewed text users must interpret to finish registering for an account.

The zombie PC sends a request to another computer, which attempts to read the CAPTCHA puzzle, and then sends an answer to the PC. Websense estimates the spammers are successful in eight to 13 percent of their attempts at signing up for a new Blogger account.

Websense didn't try to explain how the spammers are solving the CAPTCHA puzzle. Spammers have solved similar anti-CAPTCHA schemes for Microsoft's Live Mail and Live Hotmail systems and Google's Gmail system, Prasad wrote.

The spammers use their Blogger pages to hype typical spammer merchandise. Many of the sites also include JavaScript code that redirects the victim's browser to another spammer website.

Google has said it closes any accounts being used to distribute spam.

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds