URL shortening services abused by clever spammers

According to Symantec’s MessageLabs Intelligence Blog, there has been a significant rise in the use of URL shortening service links to drive users to malware infected web pages.

According to Symantec’s MessageLabs Intelligence Blog, there has been a significant rise in the use of URL shortening service links to drive users to malware infected web pages. MessageLabs Intelligence has also uncovered evidence of spammers establishing their own fake URL-shortening services which are used as target links from legitimate URL-shortening sites which then redirect to malware sites.

url shotening and link chaining

Symantec refers to this practice as ‘chaining’. According to the Symantec May 2011 threat report chains are “sometimes repeated more than ten times before arriving at the spammer's site.”

“The attack abused at least five different URL shortening sites.” the blog entry posted earlier this month reported. “The message claimed to be from an inter-bank funds transfer service, claiming that a funds transfer had been cancelled. To find out why the transfer was cancelled, recipients were encouraged to click on a link supposedly pointing to a PDF file, but actually pointing to a shortened URL.”

spamming links by sector

The shortened link connects unsuspecting users to a site serving up several drive-by exploits. The site is well constructed to minimise the ability for web spiders and content inspection engines to identify the site as malicious.

“When a web browser renders the page, JavaScript is used to de-obfuscate the content and run more JavaScript to carry out exploits. The page attempts several exploits including exploits targeting PDF and Java, and also uses a Windows Help Center exploit to download more malware.” Symantec explained.

As a further method of site protection, many spammer owned URL-shortening domains were registered several months before they were used as a means to evade detection by legitimate URL-shortening services.

Many services, such as the automated Twitter t.co service and the popular bitly, have checks in place to reduce potential misuse by spammers by applying an ‘age of domain’ check which this aged-registration process may circumvent.

All bitly links and custom names are permanent by design, so spammers link a bitly address to a spammer owned redirection service so they can then edit the final destination as malware sites are exposed or taken down. This allows spammers to use a single bitly redirection for multiple campaigns, and to redirect the bitly address at a high reputation site between malware campaigns to increase the redirection URL’s reputation.

Symantec recommend a number of Best Practice Guidelines for Enterprises wishing to minimise the impact of new spammer techniques. These include:

  1. Employ defence-in-depth strategies; Emphasise multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection method
  2. Monitor for network intrusions, propagation attempts and other suspicious traffic patterns, identify attempted connections to known malicious or suspicious hosts
  3. Deploy and use a comprehensive endpoint security product that includes additional layers of protection including protection against un-patched vulnerabilities using real-time cloud analysis services
  4. Use encryption to protect sensitive data
  5. Use Data Loss Prevention to help prevent data breaches
  6. Implement a removable media policy
  7. Update security countermeasures frequently and rapidly
  8. Be aggressive with updating and patching. Be wary of deploying standard corporate images containing older versions of browsers, applications, and browser plug-ins that are outdated and insecure
  9. Enforce an effective password policy. Ensure passwords are strong; at least 8-10 characters long and include a mixture of letters and numbers
  10. Restrict dangerous email attachments
  11. Ensure that you have infection and incident response procedures in place

Finally, education of users is key. Users should receive frequent updates from IT and all on-boarding programmes should include at least the following points:

  • Be cautious when clicking on URLs in emails or social media programs, even when coming from trusted sources and friends;
  • Do not click on shortened URLs without previewing or expanding them first using available tools and plug-ins;
  • Be cautious of information you provide on social networking sites;
  • Be suspicious of search engine results and only click through to trusted sources when conducting searches—especially on topics that are hot in the media;
  • Only download software from corporate shares or directly from the vendors Web site;
  • Do not open attachments unless they are expected and come from a known and trusted source, and do not execute software that is downloaded from the Internet unless the download has been scanned for viruses;
  • If you see a warning indicating that your machine is “infected” after clicking on a URL or using a search engine, contact your help desk immediately. For auto-play audio or video with abusive or offensive material TAB to the offending Window then hit Alt-F4 in a Microsoft environment or Command-W within Mac OS X to close that window immediately.

Further updates and advice is available from Symantec at https://www.symantec.com/connect/symantec-blogs/messagelabs-intelligence. Images from the Symantec threat report for May 2011.

Read more on Hackers and cybercrime prevention