Mass URL Shortener Abuse Seen in Recent Malware Attack

Security researchers from Symantec warn that the abuse of URL shortening services is increasing with recent large scale malware distribution campaigns using the technique.

URL shorteners are great for obfuscating links, especially when many of them are used together to create multiple hops before landing victims to the payload page.

A spam campaign recently spotted by Symantec generates emails purporting to come from an inter-bank funds transfer service.

The rogue messages claim that a transfer was canceled and ask recipients to see a .pdf report located at an external address.

However, clicking the included link does not open any document. Instead, users are redirected through several short URLs until they land on a drive-by download page.

The page launches exploits for several known vulnerabilities in popular applications like Adobe Reader and Java, as well as Windows.

"Almost its entire content is obfuscated and contained inside a single huge HTML 'DIV' element, hidden with inline CSS.

"When a web browser renders the page, JavaScript is used to de-obfuscate the content and run more JavaScript to carry out exploits," Symantec expert Nick Johnston explains.

The security researcher notes that hundreds of unique short URLs have been spotted in this campaign so far and more will probably be generated. URL shorteners are commonly abused by spammers. Because of this, these services have improved their reaction time and response capabiltiies.

But, cyber crooks have begun creating their own URL shortening services in order to keep redirect URLs alive as long as possible. Back in May, a malware distribution campaign generating fake NACHA emails was seen using thousands of shortened URLs.

Users are advised to keep all of their programs up to date in order to avoid falling victim to drive-by downloads. There are browser and email client extensions that automatically expand shortened URLs. The ones leading to other URL shortening services shouldn't be trusted.