Possible malware spam accounts at Tumblr?

[REDACTED]

So recently when I've browsed Tubmlr casually for certain subjects, like cartoons (e.g. Steven Universe), I've encoutered lots of different weird posts of some kind of shortened "goo.gl" links that look like some sort of humorous news articles (e.g. "Images That Will Surely Blow Your Mind!"). Lots of usernames these posts keep coming from sure seem to be fake and created by some kind of bots. I haven't clicked any of the shortened links yet, but I've been uneasy about some possibilites of these account's probably containing some malicious hidden content themselfs, since it seems to be possible I've heard (e.g. this: https://forum.avast.com/index.php?topic=179598.0) and when I first encoutered these I first went and visited few to possibly see what these users were all about...

Here are few examples of these tumblr user domains:

https://sitecheck.sucuri.net/results/viktori6xhazov.tumblr.com
https://sitecheck.sucuri.net/results/cstudiost.tumblr.com
https://sitecheck.sucuri.net/results/toucharge.tumblr.com
https://sitecheck.sucuri.net/results/lollowing.tumblr.com

One thing to notice; all of these domains seem to have the exact same iframes according to Sucuri...

[Eddy]

goo.gl is a url shortener service.
Ofcourse (as with every social media) there are people on tumblr that are trying to spread malware, send spam (mails) etc.

The IFrames are created by Tumblr.
They should update their script(s).
IFrames are obsolete and a no go nowadays.
To create "frames" they should use <div> (HTML5)

[REDACTED]

Fortunaltely part of these spam accounts seem to have been taken down by now (at least Sucuri now shows "HTTP/1.1 404 Not Found" in some of the results for these links) and there seem to be no further any spam at least in Tumblr searches I've previously encountered them 

[polonus]

Hi Pernaman & Eddy,

There are always sub-domain holders that try to abuse. But there are always two parties involved to tango, and from this scan you can see tumblr dot com is also at fault with dns errors and blacklisting warnings: http://mxtoolbox.com/domain/viktori6xhazov.tumblr.com/  so it also their sloppy hosting and IT-management causing this and not only the malcreants. Also see: http://www.dnsinspect.com/tumblr.com/1449501846
- name servers without AAAA records.
- WARNING: Name servers software versions are exposed.
- WARNING: We found different serial numbers on your name servers, it's OK if you had modified your zone recently.
So sub-domain zone-transfers taking place, so it's a free for all like in the wild wild west 
- WARNING: Primary name server ns0.dnsmadeeasy.com. listed in SOA Record is not found at the parent name servers. The MNAME field defines the Primary Master name server for the zone, this name server should be found in your NS records.
- WARNING: MX records duplicates (same IP address):

So markmonitor aka google should inspect what sub-domains they are allowing: http://whois.domaintools.com/tumblr.com
They should keep an eye on what goes on on IP 66.6.41.30 for instance with - 69 other sites hosted on this server.

Now you see how the conditions for this abuse arose, and action come when abuse has already been going on for quite some time. I do not see any pro-active hosting here. The drawbacks of bulk-hosting, my friends.

polonus (volunteer website security analyst and website error-hunter)