Attackers Use URL Shortening Sites

Thursday, October 27, 2011 @ 05:10 PM gHale

Using public URL shortening services makes it difficult for anti-spam countermeasures to detect and block malicious messages sent by attackers in their effort to take over digital assets.

The number of spam messages dropped by 0.6% compared to September, Saudi Arabia remaining the most spammed, followed closely by Russia with almost 80% of the email representing undesired and ill-intended content, according to the latest Symantec Intelligence Report.

Financial Side of Cyber Attacks
Cyber Report: Attacks Down; Costs Up
RISI: Worm Costs Auto Maker $150M
Malware Changes, Systems Need to, Also
Executive Fear: APT Attacks

Fake or rogue pharmaceutical related alerts were the most common, gambling and jewelry occupying the next two positions. The names and reputation of NACHA and ACH are the most widely deployed names in the subject lines of spam emails.

When it comes to phishing, the UK was the preferred target of phishers with one in every 178 emails identified as being an attempt to steal credentials.

Malware also hit the UK, numbers showing that one in 146 electronic mail notes contained a malevolent attachment.

Even though the figures show a decrease in spam, by using shortened URLs they become more sophisticated as you can never know what these links might hide.

“Spammers are using a free, open source URL shortening scripts to operate these sites,” said Paul Wood, senior intelligence analyst, “After creating many shortened URLs with their own service, the spammers then send spam including these URLs. These particular spammers use subjects designed to attract attention, like ‘It’s a long time since I saw you last!’, ‘It’s a good thing you came’ and so on.

“This is a common social engineering tactic, and is designed to arouse curiosity, particularly if they have a false sense of security around the safety of shortened links,” Wood said.

In October a hacker collective was using 80 public URL shortening sites, most relying on the .info top-level domain to operate.

“It is possible that spammers are setting up their own URL shortening sites since legitimate URL shortening sites, which have long suffered with abuse, have slightly improved their detection of spam and other malicious URLs.

“It’s not fully clear why the sites are public. Perhaps this is simply due to laziness on the spammers’ part, or perhaps an attempt to make the site seem more legitimate,” Wood added.

Leave a Reply

You must be logged in to post a comment.