A sample of a spam message making the rounds demonstrated how someone used a Google URL, with advanced search operators, to send people to a fake retail site. It could be much worse.
We saw the effect of a spam detected by Symantec, where a link in the junk message resolved properly to Google. The spam link used advanced Google search operators to run an “I’m Feeling Lucky” query on Google.
The spammers crafted the link, its operators, and the destination site in such a way that the link would automatically go to the site. To the observer looking at the link, it appears to be a typical Google search with some extra query language related to the spam’s topic included.
That destination site had been registered at the beginning of October, with contact details that look phony. We’ll be surprised if orders placed through the site do more than grab some cash from the payment method before it vanishes from the web.
After we noted this story earlier, David Cawley of MailChannels dropped a note in the inbox. He pointed out how this misuse of Google’s advanced search and the “I’m Feeling Lucky” feature could have been much worse:
The issue is actually more serious than a typical spam redirect. For example, I could craft (a) URL to point to an attachment instead of a website.
Since many Windows users have their PCs configured to automatically open PDF attachments, it’s possible that it may have opened as soon as you click the link.
Cawley’s link did just what he said it would, triggering the launch of Adobe Reader and the opening of the destination PDF. His sample was a benign link to a whitepaper. A malicious link could deliver all kinds of nastiness to an unprotected machine.
Earlier today, we suggested Google may want to revisit their past consideration of doing away with the “I’m Feeling Lucky” link. It’s unique to Google among the major search engines. The feature’s luck may have run out now.
