The email included 2 lines with a date and a link which seems very suspicious. It looked as follows:
Looking at the link, it seems like an aalmost clean google.co.uk link (except for the backslashes). When typing that link into the address bar, an intersting thing happened – the URL loads smth from Google.co.uk, then redirects autmatically to:
Amazingally enough, this is nothing else than a “Canadian Pharmacy” website 🙂
So how was this done?
[Thanks Simon for the resolution]
Well, there no no actual “hack” in the URL. It’s not a phishing scheme or anything like that – actually much more simple idea. We all know the Google button “”I’m Feeling Lucky” – this is the button which instead of taking the user to the SERP (Search Results page), takes the user directly to the top result’s page.
These guys hacked this button command – the button ID is “btnl” and theseguys simply found the correct value to put after it, in order to send a user directly to their target web page.
OK.. so what’s so smart about that???
The problem is, emails with weird redirected URL’s and/or pharma words gets filtered by spam blockers. So, what these guys did, is they found a very long tail search phrase, for which their web page came with the top result with high certainty.
They then spammed the web with a Google URL, which is much less probable to get blocked – so it reached a much larger audience.
Also, a URL from Google is much more likely to be clicked than other weird redirected URL’s.