Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: What does a spammer stand to gain by redirecting me to google.com?
4 points by frompdx on July 18, 2020 | hide | past | favorite | 7 comments
Recently I have started receiving a lot of spam text messages. Each message is similar. Each one is addressed to someone who isn't me.

"Dr Oz called this the most potent erection pill. <not my name>., last up to 3 hours with no side effects" <link to spam site>

-- or --

Thank you Oprah for your appraisal: because of that we're opening a FREE sample programme for EVERYONE! <not my name>., lose 20 lbs:

At first I tried to ignore the text messages. However, I have been getting one every other day and it is starting to get old. So, I decided to do some investigating.

I hit a few of the links in the text messages with curl and to my surprise, each link redirects to https://www.google.com.

  curl -v  <some-site>.com/<random-characters>
  *   Trying <ip-address>...
  * TCP_NODELAY set
  * Connected to npit9.com (<ip-address>) port 80 (#0)
  > GET /zFYFoXfVF8 HTTP/1.1
  > Host: npit9.com
  > User-Agent: curl/7.54.0
  > Accept: */*
  >
  < HTTP/1.1 302 Found
  < Server: nginx/1.6.2
  < Date: Sat, 18 Jul 2020 20:19:25 GMT
  < Transfer-Encoding: chunked
  < Connection: keep-alive
  < Location: https://www.google.com
  <
  * Connection #0 to host <some-site>.com left intact
Here is what I know:

1. Every message has a different link that is a six letter domain and the path is a series of random characters and each is addressed to a person that isn't me.

2. Every URL is registered by namecheap.com.

3. Every URL points to the same IP address.

4. Every link redirects to https://www.google.com

What can a spammer possibly gain from this?




They have now verified that your specific phone number will click clearly suspicious links. I would hazard that your going to be put into the phase 2 sucker category now as a result.

Why are the links so clearly suspicious you ask?

It is part of the scam. It weeds out those who are unlikely to be scammed early in the pipeline so that scammers don't waste resources on people who will not be duped.

Why redirect to google? They already have everything they need from you including a hash that points back to your phone number indicating what one of their various scams they got you to bite on. There is no longer any reason for them to keep your focus on their data collection site and immediately send you someplace benign. Google seems as good a choice as any.


If this is true, what can anyone really do about this type of text message spam? Blocking the numbers the messages is no good since each message comes from a separate number.

I would hazard that your going to be put into the phase 2 sucker category now as a result.

What happens in phase 2? A more targeted attack? Something intended to short circuit someone's ability to think rationally? For example, instead of something mundane like loose 20 pounds! It will be something like You must follow this link and log into your account in 24 hours or you will not be able to access it again.

Edit: I suppose one option to stop seeing spam text messages is to whitelist. If you are using iOS this can be done through do not disturb settings and screen time settings.


> If this is true, what can anyone really do about this type of text message spam?

Reply to it all. If everyone took 2m a day to string along spammers we wouldn't have any spam (or scams).

The reason spam/scams work is because only people gullible enough to get scammed respond, so the sender of the spam (and scam) can send out 5m emails, knowing that if only 5 come back, those 5 are good or money.

If everyone responds, then each scammer/spammer will get 5m responses, and they wouldn't be able to pick out the 5 that will give them money.


Now this is an interesting take. I could be misremembering which documentary I saw this in, but if my recollection is correct, the documentary Maxed Out proposed that if everyone returned credit applications sent by mail to sender, the economics of credit applications would be much less feasible because they would pay the return rates. This was in 2006. https://en.wikipedia.org/wiki/Maxed_Out


This kind of website detect when you are using a mobile device or not. They can show the spammer website if you are in phone or a different website (like Google) when you're not using a mobile device.


That's interesting. Forgive my naivety, but what is the value in knowing whether or not I am on a mobile device?


To foil potential investigation attempts. You only serve the malicious payload to the intended targets, and everyone else gets something innocent-looking.

In your case, Curl is sending its own user-agent, so not only did you most likely trigger the evasive payload but you also let them know someone is looking too closely at this if they were to check the logs.

Next time, try hitting it by setting the user-agent of the intended device. It's not foolproof either (unlike Curl, a typical browser would load images and run Javascript so they can detect it that way) but should be enough for most purposes (they are not trying too hard to hide their tracks, user-agent filtering is very easy to implement so they do it, but anything else is likely too much effort for them to bother).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: