.pw Hit and Run Spam with Royal Baby Trend

Last month Symantec posted few blogs (here and here) on an increase in spam messages with .pw URLs.

Since then the volume of URLs with .pw domains has considerably decreased. At the beginning of May the peak volume .pw domains accounted for about 50 percent of all spam URLs. Currently, .pw domains account for less than 2 percent for the last seven days.

Figure1_6.png

Figure 1. .pw TLD appearance in spam messages

The decrease in .pw domains is the result of a close collaboration between Symantec and Directi in reporting and taking down the .pw domains associated with spam.

The latest evidence from the Global Intelligence Network shows that even with such a small presence of former country top-level domains for Palau, .pw spammers don’t give up and start using different tactics. They keep an eye on the latest news from around the world and convert hot news headers into domain names.

One such example is the domain name babykingishere.pw, which was registered on July 24 by a registrant from Panama. The name chosen by spammers was based on the big news from the UK, the birth of future king. While the world is celebrating, spammers have definitely tried to take advantage of the event.

So far, the spam domain was only observed within promotional hit-and-run spam. One of the main characteristics of this type of spam is the use of "throw away" domains, which the babykingishere.pw domain is.

Sample “From” lines taken from observed Hit and Run spam with the babykingishere.pw domain:

Figure2_3.png

Figure 2. Sample spam message with links containing the babykingishere.pw domain

Currently, both samples are blocked by Symantec with IP reputation and content filtering. Symantec will continue to monitor .pw domains and any appearance of "Royal Baby" spam.