Small but powerful — shortened URLs as an attack vector

Using tiny URLs to redirect users to phishing and malware domains is nothing new, but just because it’s a common delivery tactic doesn’t mean that attackers aren’t using it to deliver new malware samples. We recently received a report of a phishing email from one of our users here at PhishMe that employed a shortened google URL, and led to some surprising malware.

Through the power of user reporting, we received the report, discovered the malicious nature of the shortened URL, and reported the issue to Google – all within a span of 30 minutes. Google reacted quickly and took the link down shortly after our report.

It started with the following phishing email:

Phishing email

Figure 1 — Phishing email

Typically, you can modify a goo.gl link from goo.gl/ to goo.gl/info/, which will bring you to the Google analytics page, revealing the underlying URL. This link has gotten a whopping 281 total clicks.

Analytics page

Figure 2 — Google Analytics page

So what have these people been clicking on? Clicking on the shortened URL downloads a malicious .zip file that leads to a variant of our old friend Cryptowall, which attackers used to collect hundreds of thousands in ransom payments back in June.

Cryptowall

Figure 3 — Cryptowall ransom page

Updated anti-virus should protect you from this threat, right? In this case, it probably won’t since only a fraction of vendors are picking up on this malware at the time of writing.

Virus Total page

Figure 4 — Virustotal page

How much has this attack netted so far? At the time of writing, it was around 38 bitcoins, or roughly $22,000 USD.

Bitcoin Wallet

Figure 5 — Bitcoin wallet

By following the bitcoin wallet exchanges, we have been able to successfully tie the bitcoin wallet from above to the earlier cryptowall campaign from the beginning of June. One of the wallets they are using, 1Leo, currently contains a staggering 710 transferred bitcoins, or roughly $415,000 USD. However, one thing worth noting is the last transaction to this address was 7/19/2014, more funds are being transferred to other accounts as of 7/31/2014, there are bitcoins (and money) currently not accounted for.

2nd bitcoin wallet

Figure 6 — 1Leo Bitcoin wallet

We’ve been seeing a lot of attacks like this recently, as tiny URLs have grown along with the explosion of short messaging and blogging services where users have a limitation on their character count or want to shorten messages for mobile users.

Using shortened URLs allows attackers to exploit human weaknesses in a number of ways. By making it more difficult to view and analyze the underlying URL, shortened URLs are more likely to be clicked by the busy or distracted employee who won’t take the time to analyze the link. Since many phishing emails aim to elicit an emotional response from the recipient by threatening negative consequences, a frazzled employee may also hastily click on a short link. Shortened URLs also take advantage of the fact that many employees simply may not be aware of how to view the destination of a shortened URL.

In this example, the best defense against a shortened URL is a user who analyzes the context in which he/she is receiving the email. Savvy users can be trained to recognize a number of red flags that will allow them to dismiss many phishing emails before they even look at the links, based purely on the context of the email. If those users can also easily report these emails to the IR team, you can take remedial action against threats like this one that are not picked up by anti-virus, and you can do so quickly (in this case 30 minutes).

As we’ve mentioned before on this blog, the best way to protect users/enterprises is to take the following steps:

1. Be on the lookout for zip files that contain executable or screen saver files.
2. Be wary of any zip file being downloaded.
3. Search / remove emails containing the subjects discussed
4. User awareness, to include encouraging user reporting

Leave a Reply