
Ask HN: What does a spammer stand to gain by redirecting me to google.com? - frompdx
Recently I have started receiving a lot of spam text messages.  Each message is similar.  Each one is addressed to someone who isn&#x27;t me.<p><i>&quot;Dr Oz called this the most potent erection pill. &lt;not my name&gt;., last up to 3 hours with no side effects&quot; &lt;link to spam site&gt;</i><p>-- or --<p><i>Thank you Oprah for your appraisal: because of that we&#x27;re opening a FREE sample programme for EVERYONE! &lt;not my name&gt;., lose 20 lbs:</i><p>At first I tried to ignore the text messages.  However, I have been getting one every other day and it is starting to get old.  So, I decided to do some investigating.<p>I hit a few of the links in the text messages with curl and to my surprise, each link redirects to https:&#x2F;&#x2F;www.google.com.<p><pre><code>  curl -v  &lt;some-site&gt;.com&#x2F;&lt;random-characters&gt;
  *   Trying &lt;ip-address&gt;...
  * TCP_NODELAY set
  * Connected to npit9.com (&lt;ip-address&gt;) port 80 (#0)
  &gt; GET &#x2F;zFYFoXfVF8 HTTP&#x2F;1.1
  &gt; Host: npit9.com
  &gt; User-Agent: curl&#x2F;7.54.0
  &gt; Accept: *&#x2F;*
  &gt;
  &lt; HTTP&#x2F;1.1 302 Found
  &lt; Server: nginx&#x2F;1.6.2
  &lt; Date: Sat, 18 Jul 2020 20:19:25 GMT
  &lt; Transfer-Encoding: chunked
  &lt; Connection: keep-alive
  &lt; Location: https:&#x2F;&#x2F;www.google.com
  &lt;
  * Connection #0 to host &lt;some-site&gt;.com left intact
</code></pre>
Here is what I know:<p>1. Every message has a different link that is a six letter domain and the path is a series of random characters and each is addressed to a person that isn&#x27;t me.<p>2. Every URL is registered by namecheap.com.<p>3. Every URL points to the same IP address.<p>4. Every link redirects to https:&#x2F;&#x2F;www.google.com<p>What can a spammer possibly gain from this?
======
uberman
They have now verified that your specific phone number will click clearly
suspicious links. I would hazard that your going to be put into the phase 2
sucker category now as a result.

Why are the links so clearly suspicious you ask?

It is part of the scam. It weeds out those who are unlikely to be scammed
early in the pipeline so that scammers don't waste resources on people who
will not be duped.

Why redirect to google? They already have everything they need from you
including a hash that points back to your phone number indicating what one of
their various scams they got you to bite on. There is no longer any reason for
them to keep your focus on their data collection site and immediately send you
someplace benign. Google seems as good a choice as any.

~~~
frompdx
If this is true, what can anyone really do about this type of text message
spam? Blocking the numbers the messages is no good since each message comes
from a separate number.

 _I would hazard that your going to be put into the phase 2 sucker category
now as a result._

What happens in phase 2? A more targeted attack? Something intended to short
circuit someone's ability to think rationally? For example, _instead of
something mundane like loose 20 pounds!_ It will be something like _You must
follow this link and log into your account in 24 hours or you will not be able
to access it again._

Edit: I suppose one option to stop seeing spam text messages is to whitelist.
If you are using iOS this can be done through do not disturb settings and
screen time settings.

~~~
lelanthran
> If this is true, what can anyone really do about this type of text message
> spam?

Reply to it all. If everyone took 2m a day to string along spammers we
wouldn't have any spam (or scams).

The reason spam/scams work is because only people gullible enough to get
scammed respond, so the sender of the spam (and scam) can send out 5m emails,
knowing that if only 5 come back, those 5 are good or money.

If everyone responds, then each scammer/spammer will get 5m responses, and
they wouldn't be able to pick out the 5 that will give them money.

~~~
frompdx
Now this is an interesting take. I could be misremembering which documentary I
saw this in, but if my recollection is correct, the documentary _Maxed Out_
proposed that if everyone returned credit applications sent by mail to sender,
the economics of credit applications would be much less feasible because they
would pay the return rates. This was in 2006.
[https://en.wikipedia.org/wiki/Maxed_Out](https://en.wikipedia.org/wiki/Maxed_Out)

------
fsistemas
This kind of website detect when you are using a mobile device or not. They
can show the spammer website if you are in phone or a different website (like
Google) when you're not using a mobile device.

~~~
frompdx
That's interesting. Forgive my naivety, but what is the value in knowing
whether or not I am on a mobile device?

~~~
Nextgrid
To foil potential investigation attempts. You only serve the malicious payload
to the intended targets, and everyone else gets something innocent-looking.

In your case, Curl is sending its own user-agent, so not only did you most
likely trigger the evasive payload but you also let them know someone is
looking too closely at this if they were to check the logs.

Next time, try hitting it by setting the user-agent of the intended device.
It's not foolproof either (unlike Curl, a typical browser would load images
and run Javascript so they can detect it that way) but should be enough for
most purposes (they are not trying _too hard_ to hide their tracks, user-agent
filtering is very easy to implement so they do it, but anything else is likely
too much effort for them to bother).

