Tag Archives: casino spam

Google Translate used by spammers to bypass Anti-Spam filters

Google Translate is a free service created by Google that translates any web page, content or document from native language to a language specified by the user that is using the service. We have noticed that some spam messages contain links to websites that use the service Google Translate to translate their page content, but those links are used to promote fraudulent pharmaceutical products, and they seem to use Google Translate to masquerade the malicious website.

In short, when you translate an URL with Google Translate, it appends the URL of the web page in the HTTP query string, but the initial domain name remains translate.googleusercontent.com, so the anti-spam filters may be bypassed because the URL of Google Translate is classified as legitimate.

To get a better idea about what I am talking about, check this image:

translate-google-used-for-spam

We have extracted some URLs from the spam messages and they are all subdomains of yolasite(dot)com, they are used to promote selling of fake pharmaceutical products and subscriptions to fraudulent casino websites:

hxxp:// myonlinestore1. yolasite.com/shop
hxxp:// onlineshop63. yolasite.com/shop
hxxp:// onlinecasino27. yolasite.com/casino2

Never click on links that start with the domain “translate.googleusercontent.com”, because they may use Google Translate to translate a malicious website and exploit vulnerabilities in your web browser or other applications installed in your system (such as Adobe Flash, PDF Readers, Java) to infect your PC.

If you want to translate a website, you should visit directly with your browser the website of Google Translate and type the URL that you want to translate. Avoid clicking on links related to Google Translate, present in emails or in other unknown websites.

Migre.me Widely Used in Recent Spam Campaigns

We have noticed in recent spam campaigns that the spammers are using the shorten URL service at Migre.me to spread pharmacy links, casino and watches links and other scam-links hidden behind the shortened URL and probably bypassing some anti-spam filters.

Spam message

Note at the bottom of the image above the link to a shortened URL from migre.me service. Using our free tool Extract URL is possible to know where is pointing the shortened URL, as we can see from the image below:

Migre.me URL Extracted

The link extracted, points to a website that looks like to be used to sell fake watches, fake rolex and other false or non existent stuff, definitely a scam site. We tried to visit the website and this is an image of its main homepage:

Watches Scam Website

Using our other free tool URL Dump we could easily understand that it is a scam website that is used to sell fake rolex and fake watches, by searching interesting text on the dumped content, as seen in the image below:

URL Dump in Action

Domain & IP Analysis

daychain .com121.127.133.14