Using Google cache and invisible text for spam redirect

This title of this email caught our eye – “privacy” – certainly an amusing way to introduce spam. Closer inspection revealed two interesting tricks, no doubt intended to fool content-based spam filters. 

The first is the use of almost invisible, random text to break up words which might be detected by spam filters. As shown below the word “product” appears to have a space in the middle of the word (as do the words “extremely”, “congratulate”, “excellent” and “future”). The space is actually made up of 6 numbers and letters – all with a font size of 1 and colored white. We have enlarged the text and colored it red to make it visible.

The second trick used is the inclusion of links that appear to lead to a Google site. Here again these URLs will not trigger most spam filters that almost certainly whitelist the Google domain. Google’s cache stores snapshots of webpages allowing searchers to access content that may have changed since it was scanned by Google. In this example the link includes Google’s cache code: pzSrP–rcwJ. The inclusion of the text “:google.com” at the end of the link is purely “cosmetic” and does not affect the destination.

The links lead to the cached version of a seemingly blank page from a site called “giacomo–.chez.com”.

This cached site includes an embedded script that redirects visitors to their final destination – the Ultimate Replica site. Note the Christmas decorations…