February 12, 2011

Late this week, I heard from several anti-spam activists who alerted me to a nice reminder that spammers don’t always win: Spammers have been promoting their rogue pharmacy sites via images uploaded to free image hosting service imageshack.us. In response, the company appears to have simply replaced those images with the following subtle warning:

The spammers' images were replaced with scam warnings like this one.

Imageshack did not respond to a request for comment sent Thursday.

Update, Feb. 13, 3:20 a.m. ET: I heard from Imageshack co-founder Alexander Levin, who said the image swaps aren’t automated. “We need a source to provide us with image links to replace. Thankfully, we found one using a honey pot,” Levin wrote in an e-mail. “With some rudimentary analysis we were able to find over 300 images uploaded to our services in this way, and were able to replace them with this image within an hour of them being reported.”

23 thoughts on “Imageshack Swaps Spam Pages for Scam Alerts

  1. brucerealtor

    I also checked out a number of rogue pharmacy ads on line and noticed that a majority of what I pulled up wanted upwards of a $30 MONTHLY fee, just for the privilege of getting forwarded to an alleged pharmacy somewhere. This was a recurring fee, apparently whether you use them or not.

    One pharmacy only took CHECKS, not credit cards and when e-mailed them suggesting that I was only willing to use a card due to protection afforded those who use cards, I never heard back.

    The item being searched or was Adderal.

  2. Chris L

    If this is indeed true, that is great news indeed. However, at time of writing this neither of those links are working for me.

    Perhaps they just got too much traffic and got shutdown. I don’t know. All I know is if this WAS in fact Imageshack they should’ve linked to pages hosted on their own domain for authenticity.

    In the other case, where Imageshack did not make these images, someone else may have posted these images to deliberately mislead the unsuspecting. In which case they likely only appear to warn the user of a scam to gain their trust so that they can scam them.

    Frankly, for a site as large as Imageshack the image design and quality also seems fairly skeptical. The poor overall image quality coupled with the URL shortening links raise a lot of red flags for me.

    1. Brian Fiori (AKA The Dean)

      The links in the image now work fine and connect to different pages of Spamtrackers.eu

    2. qka

      That’s the problem with these URL shortening / redirecting services – you don’t know where they are really sending you to.

      As a matter of security, I generally avoid following such links, unless i REALLY trust the supplier.

      (Mr. Krebs – you are on that trusted list.) 🙂

  3. AlphaCentauri

    There is more information about the Imageshack image substitution in this thread:

    The full history of the Imageshack anti-spam campaign is on a members-only thread on InboxRevenge forum. What happened was that spammers were previously doing the same thing on a massive scale. Imageshack, like other image hosting services, was just removing each image as a complaint came in. One of the members of IBR developed a working relationship to provide them spammed URLs, then helped develop the alternative image. That stopped the spam campaign immediately. The bit.ly links were chosen so no one got the mistaken impression that Spamtrackers.eu was responsible for the spam campaign, and they lead to the articles regarding the spammers who were conducting the previous campaign.

    But now, some clueless newbie spammer seems to have tried his own luck using Imageshack, and it triggered the automatic image substitution to start again. His spams link via a site that claims to be a URL shortening service that I’ve never heard of, and the links are dead. I don’t know if that image shortening service acts on spam complaints, or if the spammer removed the links himself out of embarrassment. So far I have been unable to find any live ones to let me know which spammer is responsible for this complete Fail.

    1. AlphaCentauri

      Follow up information: the owner of the URL shortening service posted to his twitter account complaining about having to remove 25K posts from Russian spammers.

  4. Jim

    heh.. subtle.. like a brick to the head.. then again, it’s still not enough to keep ‘the curious’ from clicking..

  5. Iyeman

    Yeah by the time It was all done I had deleted over 26000 shortened url’s from my DB, learned a little about SQL searching during the deletion process lol. And I have disabled the public interface, to prevent future problems.

  6. David S

    Good attempt, but ultimately this will lead to more “hardened” image hosting. Having seen (and done) a similar technique years ago to fight phishing, the lesson learned was that the bad guys just shift the images to a more secure location. Leaving the images where they are, tagging and tracking their usage can also be effective.

    1. Russ

      This approach is wise. Making the spammers develop new techniques and rework their own workflows stops low-level shmucks from jumping into the game. There is unlikely to ever be a purely technical solution to the spam problem. But if these guys’ profit margins are negatively impacted enough, they will lose their motivation to stay in business. Look at what happened when Spamit got shutdown, for example.

  7. JS

    Brian — imageshack.us — I think that the proper link citation for Levin’s company 1)

    Why not just enforce/update the ToS which ought to be in place anyhow.

    I’d like to see “Circumventing ImageShack’s ability to enforce the ImageShack Terms of Service will result in prosecution. section 2 ” TOS 2) actually brought to bear in this situation. It seems this is what was intended because of the honeypot mitm bot upload service.

    As for having to be given a “source” for where all these are being linked from; it seems they as good Netizens, imageshack.us should have already instituted a form of internal flagging on linked images against sites already listed in known spammer/malware lists IE blackhole email lists, web filter lists, etc.

    As spammers/malware/phishing sites deploy tools to automate propagation so should image servers automate against such abuse.

    Lastly are they investigating their torrent service; tor.imageshack.us for similar abuse?

    spammers could perpetually ship around an entire pillscam site using torrent.

    1) http://en.wikipedia.org/wiki/ImageShack
    2) http://imageshack.us/content.php?page=rules

    1. AlphaCentauri

      The images on ImageShack’s site weren’t linked to anything; it was all within the spam email. This was what the source code of the emails looked like (spaces added to break links):

      Click here!

      Someone opening the spam email (in an html enabled email client that permitted images to load) would see whatever the original spam image was. Once the substitution was made by ImageShack, they would see the alternate image warning what would happen if they chose to click.

      ImageShack would only see a lot of people downloading those images but would have no way of knowing what the images were linking to without receiving a copy of the actual spam.

        1. Russ

          Well played, Brian Krebs, well played. Nobody is sneaking nasty code onto your website, are they? Perhaps HBGary could use your services. They could change their name to BKGary.

  8. T.Anne

    I don’t see this being the end all be all fix – but I think it’s a great step… one more layer of defense.

    1. AlphaCentauri

      It’s worth more than just the one-time interruption in spam link click-through. Spammers rely on recipients’ ignorance to make money. Most of the people who give them credit card numbers think they’re real pharmacies in Canada selling drugs good enough for Canadians. If they knew the truth, very few would hand over a credit card number. Spammers will generally avoid doing things that increase the chance of potential customers being clued in. That’s why this guy is such a laugh — he’s still doing it, and he hasn’t noticed all the publicity he’s generating.

      I still haven’t found an image that ImageShack hasn’t gotten to first. But the latest spam redirected to “EuroSoftwares” at softwarebuyshop-2.ru/?noiknpyt before the new URL shortening service deleted his links, too. (It’s typical for mailers to send spam for multiple brands and even multiple affiliate programs.) The image isn’t entirely appropriate to software piracy sites, but it will probably at least make people do some research before they spend money to download trojan infected programs onto their computers.

  9. Scamdex

    It’s great to see ‘free’ web app providers taking responsibility – they’re the spam/scammer’s toolkit and as such owe a duty of care to the rest of the Internet. Whether it’s free image hosting, free email accounts or even chatrooms, the (‘free’) industry has been pretty poor in taking responsibility for the massive scam/spam industry that uses them to bilk people of $billion$ every year.

  10. Not SA

    Did Mr. Levin mention that he’s a furry who posted as “Macbeth” on somethingawful.com? After he was banned, the SA moderators dangled the possibility of getting unbanned in front of him if he’d turn over the IP addresses of users posting Imageshack hosted pictures on an anti-SA site. He broke his own site’s Terms of Service in hopes of getting unbanned from a message board. Instead, he ended up on digg.com


    1. BrianKrebs Post author

      That’s strange: When I try to visit the blog entry linked in that Digg posting, it not longer exists. What gives?

Comments are closed.