Rise of .pw URLs in Spam Messages

Symantec has observed an increase in spam messages containing .pw top-level domain (TLD) URLs.  While it was originally a country code top-level domain for Palau, it is now available to the general public through Directi, who branded it as “Professional Web”.
 

pw tld blog 1.png

Figure 1. .pw TLD URL spam message increase
 

Looking back at the last 90 days, .pw ranked #16 on our TLD distribution list:
 

pw tld blog 2_0.png

Figure 2. TLD distribution list - last 90 days
 

However, the .pw URL jumps to the fourth spot when looking at the last 7 days:
 

pw tld blog 3.png

Figure 3. TLD distribution list - last 7 days
 

Examining messages found in the Global Intelligence Network, Symantec researchers have found that the vast majority of spam messages containing .pw URLs are hit-and-run (also known as snowshoe) spam. 

These are the top ten subject lines from .pw URL spam over the last two days:

  • Subject: How to sell your Timeshare
  • Subject: Reusable K Cup for Keurig or single-brew coffee maker
  • Subject: Reusable single-brew coffee cup you can fill with your coffee blend.
  • Subject: Are your home possessions covered in case of a  catastrophe?
  • Subject: Elmo's Learning Adventure Gift Package
  • Subject: Make Learning Fun - With Elmo & the Sesame Street Gang!
  • Subject: Are your appliances and home systems covered?
  • Subject: Refinance Today, Save Tomorrow
  • Subject: Nothing is more EFFECTIVE for High Blood Pressure
  • Subject: Mortgage Rates

pw tld blog 4.png

Figure 4. .pw URL spam message example
 

Symantec will continue to monitor this trend and create additional filters to target these attacks.  In addition, Symantec also advises enterprises and consumers to adopt the best practices found in the Symantec Intelligence Report.