Hacktivists Using Shortened Links to Hide Malware Servers

Monday, October 15, 2012

Dan Dieterle

B64e021126c832bb29ec9fa988155eaf

Several times I have received direct tweets or replies on Twitter with a message like “Check this out!”, “This is along the same lines”, or “If you think that is bad, check this out”. The profile picture of the sender is usually a professional looking businessman or a pretty lady. And the included link is a shortened URL.

Why some people are just so friendly right?

But running the shortened URLs through a link unshrinker told a different story. One of the first evil links that I found was four lines long when unshrunk and included an IP address of a known Russian Business Network (RBN) host. But the way they formatted the link, the actual website called was at the end of the link and pointed to a server in the US.

I have seen the same tactic used on a forum discussing the 9/11 Anti-American protests that are going on now in many Islamic countries. A comment posted, by a very pretty lady (of course), had an anti-Islamic message and a shortened link. The link unshortened was a very long masked URL.

Recently, the Telegraph posted an article on the Taliban using pretty girl profiles on Facebook to try to befriend and get information from allied troops:

“Most did not recognise that people using fake profiles, perhaps masquerading as school friends, could capture information and movements. Few consider the possibilities of data mining and how patterns of behaviour can be identified over time.”

Unfortunately, with sites like twitter, once you click on the link, you are instantly taken to the site without being able to preview it. And with the nasty zero-day exploits that are out there (IE and Java 7) just visiting a site and allowing a script to run could allow full remote control of your computer to a remote hacker.

As the Anti-American protests continue, expect these tactics to increase. Be careful what you click on and who you befriend on Social Media sites. And always run a script blocking program like “NoScript“.

Cross-posted from Cyber Arms

Possibly Related Articles:
10951
Viruses & Malware
Information Security
malware Security Awareness Hacktivist Malicious URL
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.