Russian-language URL shortening service from

Russian-language URL shortening service from


Yesterday popular link shortener service (aka started to spread russian language spam messages with malicious links redirecting to blackhole exploit kit landing page:

So as you can see, cyber crooks put a lot of effort in this campaign and they are pushing quite big volume of traffic from some very effective sources via ad networks. In order to redirect users from Ad network domains, crooks have been using 302 permanent redirects only so far, but there is still a possibility that they will start to use JavaScript instead on redirection stage or something else  more sophisticated if they find it necessary for more effective infections rate.

  As mentioned above, this adnetwork is using pretty aggressive approach by injecting malicious javascript in iframe. If you have the same problem with being redirected to blackhole exploit kit pages when clicking on safe looking site, please mention it in comments section so that I update this article accordingly. Please also read about how to protect yourself from malvertising . Also remember, that many of the ad networks are working together in order to increase their traffic numbers and thus earning so if one of them is compromised your computer can be infected even when visiting websites not displaying ads or using different ad-serving network.

Date: Thu, 23 Aug 2012 11:03:36 +0400

From: Vkontakte - Team <po[email protected]>

Subject [SPAM]


You are receiving this message because you visited the following page:   The URL redirected to another URL, which was used for spreading spam. We apologize for any inconvenience caused by this issue. Learn how to avoid it in future HERE . Kind regards, Vkontakte - Team url: [email protected] [email protected] phone: +7 (495) 663-49-20


This spam campaign is just an example of how big and wide this problem became, so always double check links before clicking on them. If you have been redirected to blackhole exploit kit pages from other ad networks as well, please leave a comment below so I can update the article accordingly. It seems that crooks also use JavaScript redirections to infect users with malware or send them to affiliate marketing bribe pages in order to increase their traffic numbers - it's a very sophisticated approach which requires more research if we want to do something about it... Meanwhile, I would recommend you to install NoScript for Firefox . Please let me know if this short url service is also actively used by other blackhat SEO'ers or script kiddies who like to use shortened links for redirecting people. I think this is very unlikely, but still...

This entry was posted in Malware and tagged Blackhole 2.0 , exploit kit , Redirect . Bookmark the permalink .

If you enjoyed this post, make sure you subscribe to my RSS feed !

You can also email me at site [at] webmasterworld [dot] com, or follow WebmasterWorld on Twitter.

I have been doing Google AdSense since November of 2005 when they first introduced it to bloggers and forum owners who wanted to monetise their online content. In all these years I haven't seen an ad "policy violation" letter yet. This month a bot from Google crawled a page that had an image of Miley Cyrus with her tongue sticking out - when Google indexed this page, it also logged the AdSense code in the background. A few days ago I received an email from Google saying that they detected a policy violation on my site so my account is being disabled effective immediately.

Not knowing what's going on and panicking because one of my main sources of income is not working any more, I submitted a support ticket asking for details about this problem. After another 10 minutes or so, while trying to access AdSense via console, I got the following error message: "This account has been disabled. Please contact your site administrator for more information.". At this point Google cut off all communication channels with me - no support tickets are being accepted at the moment, no emails are being delivered, my AdSense blog has been removed and even this post cannot be commented on. I tried to contact Google via phone but their system is set up in a way that if you have an AdSense account, you can only speak with them via email .

We are social