Clicking on shortened urls such as those offered by services like TinyURL, BitLy, Google and others is not without danger. In the end, you don’t clearly know or see which final page you are going to land on. A recent study shows that this is being effectively and actively exploited.
The original purpose of “link shorteners” was to make sharing (long) website links easier and to provide a “workaround” for social media (link) size restrictions. Think of services such as Tinyurl, BitLy, Google, LinkedIn and others.When users click on a shortened link, they are redirected to the other original uniform resource locator, or url. While legitimate users create a simple shortened link to share, a malicious actor can use multiple redirects before the final landing page.
What makes it so remarkable is that this service was not discovered through the malware or phishing sites, but ultimately through dns analysis
Threat actor
Recent research shows that the company Prolific Puma offers such services to hackers. First, this threat actor had registered thousands of (regular) domain names. Then it allowed these domains to age by “parking” them for quite some time. This circumvents traditional security measures that often rely on temporarily blocking all newly or recently registered domains. Then Prolific Puma linked the shortened urls to rogue domains. That way, phishing mails, fraud, malware and other criminal practices could be offered through the shortened urls.
What makes it so remarkable is that this service was not discovered through the malware or phishing sites, but ultimately through dns analysis. Indeed, behind the scenes, a dns request is always made to resolve the ip address for the shortened service domain.
Aware
Making users aware of the potential risks when clicking on shortened links is critical. Training in digital hygiene, such as verifying the source before clicking on a link, can help significantly. So “Don’t click on shortened links” seems like the most obvious solution but hardly feasible in practice actually.
So the message is to secure yourself automatically via SecureDNS. By first forwarding all users’ dns requests to SecureDNS servers, the domain reputation of the requested url can be checked, including that of (the ultimate target of) shortened urls. In doing so, the following rules apply:
- If a user visits a blocked domain, he/she will not get a connection;
If the domain is whitelisted or not known to be “threatening,” the user will be granted access to the domain. - Devastating
The consequences of malicious activity via shortened domain names can be devastating. Individuals risk identity theft, financial losses and privacy breaches. For businesses, these attacks can lead to data theft, disruption of business operations and damage to reputation. This underscores the urgent need for robust security measures and awareness training within organizations and among users.
Source: Computable.nl
