URL shortening services under major attack says Symantec

According to Nick Johnston, a senior software engineer with the IT security vendor, the May 2011 MessageLabs Intelligence Report noted these types of attacks, which have arisen as a result of the rise of microblogging services like Twitter.

The simple and semi-anonymous nature of these sites, he asserts in his latest security posting, allows spammers to easily create thousands of links which they then include in their spam in an attempt to evade URL-based spam blocking.

"Recently we saw a large malware attack using URL shortening services.The attack abused at least five different URL shortening sites", he said.

"The message claimed to be from an inter-bank funds transfer service, claiming that a funds transfer had been cancelled. To find out why the transfer was cancelled, recipients were encouraged to click on a link supposedly pointing to a PDF file, but actually pointing to a shortened URL. This shortened URL then redirects to a site with several drive-by exploits," he added.

Johnston goes on to say that the malware site is heavily obfuscated, with almost its entire content being hidden and contained inside a single huge HTML DIV element, itself hidden within inline cascading style sheets.

When a web browser renders the page, the Symantec researcher says that JavaScript is used to de-obfuscate the content and run more JavaScript to carry out the required exploits.

The page then attempts several exploits - including exploits targeting Adobe PDF and Java - and also uses a Windows Help Centre exploit to download more malware.

"We saw hundreds of unique shortened URLs being used to link to this malware, and expect to see malware authors using this technique in future", he notes in this latest security posting.

What’s Hot on Infosecurity Magazine?