Comment spam abuses Google Drive and bypasses Akismet
Recently there were few spammy comments posted on the blog. I mean real, actual comment spam:
I'm using a simple captcha and Akismet - it filters out pretty much all of the spam. So, these 2 comments getting through the filters really caught my attention.
How it works
Comment text is obviously generated using some sort of spam template. It consists of a greeting, short text to entice user to click on a link and - in current spam wave - a question "Are you in?", followed by a link to Google Drive. So far it's all nice and dandy.
Problem starts when user opens link to Google Drive. It opens a preview of PDF document, something like this:
The big captcha box you see in the screenshot is not an actual captcha. The whole image is a link to the promoted site, in this case, topratinglist[.]com. Considering that users are used to seeing these captchas, it's quite likely some of them will click on it. Mission accomplished! bigsmile
Promoted sites
So far, I was able to trace this sort of spam to the following sites:
- topratinglist[.]com
- clicksbilling[.]ru
- afsstrong[.]site
- clickgred[.]ru
- mastbilling[.]ru
- bledclick[.]ru
- mayclick[.]club
Unsurprisingly, all those are shady sites run by Russians. For example, topratinglist[.]com just redirects you to a very NSFW advertisment.
PDF file contents
Ordinary user will never see the original PDF file - Google Drive Preview renders the file as HTML.
That poses quite a problem for antiviruses - they can't block the entire drive.google.com domain and there is no point blacklisting the original PDF as user never downloads it. Unsurprisingly, these PDFs are not on VirusTotal and the one I uploaded was not detected by any major antivirus:
If you look at the file details on Google Drive, it's owned by someone called "Petr Petrov" or "Vasia Vasia". There are dozens of such PDF files owned by each of the accounts.
The original PDF file contains a lot of metadata that allows to learn more about persons behind this spam:
- They use Microsoft Word 2010
- They are Russian-speaking (surprise!)
- Their timezone is GMT+3 - link to Russia again.
- They create new PDFs only on weekdays - somewhere between 11:00 and 23:30. Those are some strange working hours! smile
Spam evolution
I also tried to look back in history and see how this particular comment spam has evolved. From what I can tell, English version of this spam started somewhere around 09-Nov-2018. Thanks to some irresponsible blog owners we can see it in the full glory:
I'm sure the spambot respected their wishes and never posted on that site again. bigsmile
Digging even further, you can find the same sort of spam in Russian-speaking forums, with Russian-language ruse:
This spam dates back to March 2018, as we can see in the file details. Google Drive account is also owned by someone else named "123 123":
Another Russian-language attempt abuses Kaspersky logo to make it look even more trustworthy:
Funny how these things sometimes evolve! smile
Conclusion
It would be trivial for Google to block this sort of abuse of Google Drive and document preview. And it would be trivial for Akismet to fix their filters to catch this sort of spam. But I guess the volume of spam is too low to catch their attention.
As for me, I made some simple changes to ensure this sort of spam doesn't come through anymore. Have a nice stay here! smile
Have you reported the files to Google after that?
Simple answer would be - "no, I did not".
Longer answer - some files got blacklisted while I was writing the article and making screenshots. So, it looks like Google blacklists certain files "automagically". However, they do not kill the offending accounts. And, as screenshots show, extremely similar files have been on Google's servers since March 2018 and are still not removed.
Reporting few individual files will not solve the problem - it requires a systemic solution.
This is something I've come across as well. They've somehow picked up my personal email from somewhere and are now using it in various contact forms. I made a quick post about it on my personal blog: {hidden link}
Link to that post: https://sonickyle27.wordpress.com/2019/01/11/people-using-my-email-for-spam/
It's a nice write-up you have there, looking at same issue but from a different perspective. Good job! :)
When writing my post, I briefly looked at the email adresses abused by spammers. All of them could be found on Google (usually in some contacts form) and had a gravatar associated with them. Is that your case as well?
Yeah, I have my personal email set up as a secondary email for my Gravatar account. I tried searching it on Google but it doesn't return any pages. I'd probably signed up for something which ended up leaking my email address somehow. :/
Oof. I didn't know those kinds of comments existed... Anyway, I do know about the Akismet and spam comments, and some still manage to bypass it, despite being set to "strict". I ended up making an entire page of spam comments (I think there's about 25 comments so far) on one of my WordPress blogs. The comments are really weird, some weirder than those you have pictures of.
But no matter now. I've quit WordPress and put someone else as the owner of my blogs. No need to deal with spam comments now.
Really solid advice Brian! I would be absolutely lost without Akismet - it's a complete lifesaver with four blogs and a few other websites. Without it, I'd probably just have to turn off commenting on my blog altogether.