Snapchat Spam: Sexy Photos Lead to Compromised Branded Short Domains

This guest post originally appeared on Symantec.com. A few weeks after our blog post about porn and secret admirer spam targeting Snapchat users, a new spam campaign using sexually suggestive photos and compromised custom URLs is circulating on the photo messaging app.

Each of these spam messages (in Figure 1. above) includes a request to "Add my kik", along with a specially crafted user name on the Kik instant messaging application for mobile devices.

Snapchat Spam: Sexy Photos Lead to Compromised Branded Short Domains

Figure 2. Snapchat with a digital camera? It's a trap!

After engaging these spam bots on Kik Messenger, this spam campaign is using a type of spam chat bot-script we discovered on Tinder last summer.

Snapchat Spam: Sexy Photos Lead to Compromised Branded Short Domains

Figure 3. Spam bot using a familiar chat script on Kik

An interesting discovery from this campaign is the use of compromised custom URLs belonging to small websites and popular brands. Spammers have found a way to create their own links using branded short domains in order to entice users into a false sense of security.

Snapchat Spam: Sexy Photos Lead to Compromised Branded Short Domains

Figure 4. Well-known branded short domain directs users to spam

The following are some of the compromised branded short domains we identified:

  • usat.ly (USA Today)
  • cbsloc.al (CBS Local)
  • on.natgeo.com (National Geographic)
  • nyp.st (New York Post)
  • on.mktw.net (Marketwatch)
  • mirr.im (Daily Mirror)
  • red.ht (Red Hat)
  • invstplc.com (Investorplace)
  • mitne.ws (MIT News)

Snapchat Spam: Sexy Photos Lead to Compromised Branded Short Domains

Figure 5. Stats page for compromised short URL

Hidden behind the branded customized URLs are affiliate marketing links directing users to sign-up for adult webcam sites.

Symantec has been working closely with Bitly to investigate and shut down any spammer use of branded short URLs. Bitly has confirmed that some spammers obtained Bitly API keys belonging to various brands. Some of the brands affected used the AddThis social bookmarking service who recently stopped requiring users to reveal their API key in plain text as part of the AddThis website embed code.

Snapchat Spam: Sexy Photos Lead to Compromised Branded Short Domains

Figure 6. Note from AddThis support page regarding API key safety

Public exposure of API keys gives anybody the ability to compromise accounts and, in this case, create short URLs using other people's domains.

Users of the AddThis service should refer to this support article on how to secure API keys. Bitly users should follow Bitly API best practices to ensure the security of API keys.

The recent spam campaign targeting Snapchat users should not be surprising. Scammers and spammers will always target new and popular apps—like Snapchat—as soon as they gain a large enough user base. To prevent spam snaps from appearing in your Snapchat feed, Symantec recommends users change their Snapchat privacy settings to receive snaps from "My Friends" only and use caution when receiving unsolicited messages or friend requests.

This post by security response manager Satnam Narang originally appeared on Symantec's security blog and is reprinted in full with permission from the author. You can follow Narang on Twitter here.