Hacktivists using Shortened Links to Hide Malware Servers
Several times I have received direct tweets or replies on Twitter with a message like “Check this out!”, “This is along the same lines”, or “If you think that is bad, check this out”. The profile picture of the sender is usually a professional looking businessman or a pretty lady. And the included link is a shortened URL.
Why some people are just so friendly right?
But running the shortened URLs through a link unshrinker told a different story. One of the first evil links that I found was four lines long when unshrunk and included an IP address of a known Russian Business Network (RBN) host. But the way they formatted the link, the actual website called was at the end of the link and pointed to a server in the US.
I have seen the same tactic used on a forum discussing the 9/11 Anti-American protests that are going on now in many Islamic countries. A comment posted, by a very pretty lady (of course), had an anti-Islamic message and a shortened link. The link unshortened was a very long masked URL.
“Most did not recognise that people using fake profiles, perhaps masquerading as school friends, could capture information and movements. Few consider the possibilities of data mining and how patterns of behaviour can be identified over time.”
Unfortunately, with sites like twitter, once you click on the link, you are instantly taken to the site without being able to preview it. And with the nasty zero-day exploits that are out there (IE and Java 7) just visiting a site and allowing a script to run could allow full remote control of your computer to a remote hacker.
As the Anti-American protests continue, expect these tactics to increase. Be careful what you click on and who you befriend on Social Media sites. And always run a script blocking program like “NoScript“.