A few weeks after our blog post about porn and secret admirer spam targeting Snapchat users, a new spam campaign using sexually suggestive photos and compromised custom URLs is circulating on the photo messaging app.
Figure 1. Snapchat spam
Each of these spam messages includes a request to “Add my kik”, along with a specially crafted user name on the Kik instant messaging application for mobile devices.
Figure 2. Snapchat with a digital camera? It’s a trap!
After engaging these spam bots on Kik Messenger, this spam campaign is using a type of spam chat bot-script we discovered on Tinder last summer.
Figure 3. Spam bot using a familiar chat script on Kik
An interesting discovery from this campaign is the use of compromised custom URLs belonging to small websites and popular brands. Spammers have found a way to create their own links using branded short domains in order to entice users into a false sense of security.
Figure 4. Well-known branded short domain directs users to spam
The following are some of the compromised branded short domains we identified:
- usat.ly (USA Today)
- cbsloc.al (CBS Local)
- on.natgeo.com (National Geographic)
- nyp.st (New York Post)
- on.mktw.net (Marketwatch)
- mirr.im (Daily Mirror)
- red.ht (Red Hat)
- invstplc.com (Investorplace)
- mitne.ws (MIT News)
Figure 5. Stats page for compromised short URL
Hidden behind the branded customized URLs are affiliate marketing links directing users to sign-up for adult webcam sites.
Symantec has been working closely with Bitly to investigate and shut down any spammer use of branded short URLs. Bitly has confirmed that some spammers obtained Bitly API keys belonging to various brands. Some of the brands affected used the AddThis social bookmarking service who recently stopped requiring users to reveal their API key in plain text as part of the AddThis website embed code.
Figure 6. Note from AddThis support page regarding API key safety
Public exposure of API keys gives anybody the ability to compromise accounts and, in this case, create short URLs using other people’s domains.
Users of the AddThis service should refer to this support article on how to secure API keys. Bitly javascript:void(0);users should follow Bitly API best practices to ensure the security of API keys.
The recent spam campaign targeting Snapchat users should not be surprising. Scammers and spammers will always target new and popular apps—like Snapchat—as soon as they gain a large enough user base. To prevent spam snaps from appearing in your Snapchat feed, Symantec recommends users change their Snapchat privacy settings to receive snaps from “My Friends” only and use caution when receiving unsolicited messages or friend requests.