Spammers are abusing free web services to make their spam links look more legitimate, according to email security vendor MessageLabs.
One of the services, a photo-hosting site called ImageShack, lets people upload different types of photo formats, including Flash files, said Paul Wood, a senior analyst with MessageLabs.
Flash files, which have the extension ".swf", can be used for animated graphics and can also be used to automatically redirect people to other websites. That feature can be abused.
The attack involving ImageShack works like this: Spammers upload a Flash file then copy the link for that file - which comes from ImageShack's domain - in a spam message. If the link is followed, the Flash file redirects the victim to a spam site, Wood said.
The technique offers an advantage for spammers. Anti-spam software will often scan links in email and block those emails with suspicious-looking ones. But ImageShack's domain is considered to have a good reputation, so messages won't be blocked.
"If you start blocking on domain name only, you can incur a lot of collateral damage," Wood said.
Another more dangerous variation on this theme is a spam email promoting a video. If the link is clicked, a Flash file redirects the victim to a site where a pop-up window immediately implores the user to download a codec supposedly needed to play the video file. Invariably, the file isn't a codec but some piece of malicious software.
Even if the spam link in the email appears to be OK, there are many other ways to tell if a message is spam.
The header - or batch of information that shows where an email came from and the path it followed - can be used to tell if it came from a domain that has been prone to abuse and subsequently blocked, Wood said.
Google's Picasa photo service and Yahoo's Flickr don't allow Flash files. But that hasn't exempted Picasa from abuse. Spammers use Picasa to host images, which are then incorporated into spam messages, Wood said.
Again, spammers are piggy backing on Google's good reputation. Images that are hosted on less reputable services or domains have a greater chance of being automatically blocked by security programs.
MessageLabs has also seen a similar type of abuse of Microsoft's Windows Live SkyDrive, which is an online file storage service, Wood said.
The scenario is almost the same: The link is connected with a file on SkyDrive, but then the link performs an HTML redirect to a dodgy site. SkyDrive also allows Flash files to be uploaded, offering another possible way to attack.