YNOT – Digital security firm Symantec has issued a warning about clicking on shortened URLs created using online shortening services like bit.ly, ow.ly, TinyURL.com and others. According to Symantec’s Nick Johnston, the services increasingly are being abused by cyber-villains to obscure domains hosting scams, phishing schemes and drive-by malware.
Johnston indicated what he calls collectively a “large-scale malware attack” probably is a predictable result of the explosion in popularity of micro-blogging and social networking sites that limit the number of characters users may include in their posts. That the forces of evil on the web would try to subvert someone else’s brilliant social engineering comes as no surprise. However, the scale on which the malware distributors are working is gigantic in this case, and the potential repercussions are enormous.
“The explosion in popularity of micro-blogging services and social networking status updates has seen a huge increase in the number of URL-shortening sites,” Johnston noted in a blog posting on Symantec’s website. “The simple and semi-anonymous nature of these sites allow spammers to easily create thousands of links which they then include in their spam in an attempt to evade URL-based spam blocking.
“Recently we saw a large malware attack using URL-shortening services,” he continued. “The attack abused at least five different URL-shortening sites. The message claimed to be from an inter-bank funds transfer service, claiming that a funds transfer had been cancelled. To find out why the transfer was cancelled, recipients were encouraged to click on a link supposedly pointing to a PDF file, but actually pointing to a shortened URL. This shortened URL then redirect[ed them] to a site with several drive-by exploits.”
The attack was particularly troubling because of the way the malware distributors rendered the code underlying the drive-by site.
“The malware site is heavily obfuscated,” Johnston wrote. “Almost its entire content is obfuscated and contained inside a single huge HTML ‘DIV’ element, hidden with inline CSS. When a web browser renders the page, JavaScript is used to de-obfuscate the content and run more JavaScript to carry out exploits. The page attempts several exploits, including exploits targeting PDF and Java, and also uses a Windows Help Center exploit to download more malware.”
“Drive-by attacks” require no action from the user in order to infect his or her machine. Simply visiting a web page bearing drive-by code is enough to compromise an end-user’s system.
For most Windows users, Windows Help Center is a trusted application, leaving them defenseless against at least one prong of the attack about which Johnston warned. Because the malware code was so heavily obfuscated, many antivirus products were unable to detect the exploits.
“We saw hundreds of unique shortened URLs being used to link to this malware and expect to see malware authors using this technique in future,” Johnston warned.
