I'm using a simple captcha and Akismet - it filters out pretty much all of the spam. So, these 2 comments getting through the filters really caught my attention.
How it works
Comment text is obviously generated using some sort of spam template. It consists of a greeting, short text to entice user to click on a link and - in current spam wave - a question "Are you in?", followed by a link to Google Drive. So far it's all nice and dandy.
Problem starts when user opens link to Google Drive. It opens a preview of PDF document, something like this:
The big captcha box you see in the screenshot is not an actual captcha. The whole image is a link to the promoted site, in this case, topratinglist[.]com. Considering that users are used to seeing these captchas, it's quite likely some of them will click on it. Mission accomplished! bigsmile
So far, I was able to trace this sort of spam to the following sites:
Unsurprisingly, all those are shady sites run by Russians. For example, topratinglist[.]com just redirects you to a very NSFW advertisment.
PDF file contents
Ordinary user will never see the original PDF file - Google Drive Preview renders the file as HTML.
That poses quite a problem for antiviruses - they can't block the entire drive.google.com domain and there is no point blacklisting the original PDF as user never downloads it. Unsurprisingly, these PDFs are not on VirusTotal and the one I uploaded was not detected by any major antivirus:
The original PDF file contains a lot of metadata that allows to learn more about persons behind this spam:
- They use Microsoft Word 2010
- They are Russian-speaking (surprise!)
- Their timezone is GMT+3 - link to Russia again.
- They create new PDFs only on weekdays - somewhere between 11:00 and 23:30. Those are some strange working hours! smile
I also tried to look back in history and see how this particular comment spam has evolved. From what I can tell, English version of this spam started somewhere around 09-Nov-2018. Thanks to some irresponsible blog owners we can see it in the full glory:
I'm sure the spambot respected their wishes and never posted on that site again. bigsmile
Funny how these things sometimes evolve! smile
It would be trivial for Google to block this sort of abuse of Google Drive and document preview. And it would be trivial for Akismet to fix their filters to catch this sort of spam. But I guess the volume of spam is too low to catch their attention.
As for me, I made some simple changes to ensure this sort of spam doesn't come through anymore. Have a nice stay here! smile