URL Shortening Sites Target Email Weakness

Sites like Tinyurl.com and Bitly.com are the go-to places for Tweeters who do not want long URLs to eat up their typing space. However, shortened URLs have a second, more insidious use. They allow spammers and hackers past the old email filters and into your inbox.

Most email anti-spam engines were created before the use of embedded URLs in emails, not to mention shortened ones. Most anti-spam programs try to trace back the URL to see if the site is dangerous. However, a shortened URL can be used by hackers two ways.

The first way is simple. They plug the site they want you to get directed to into one of the known and trusted URL shortening sites available for free to the public. Because the URL shortening site is trusted, the link is trusted. However, the link does not take you to the URL shortening site; it takes you where it was originally directed.

Secondly, hackers get even more creative. Once the anti-spam filters get around the URL shortening sites, as some have done, hackers create their own URL shortening sites. Essentially, they shorten a site that’s already shortened. So, when you click on the link, you get redirected not once, but twice. The first redirection is safe, the next is a hackers.

This was “yet another example” of cyber-criminals adopting new technology to bypass traditional security measures, said Bradley Anstis, vice-president of technical strategy at M86.

“A lot of the traditional anti-spam engines were developed before Twitter, so they are not geared up to recognize embedded URLs as seen in blended email threats in spam, let alone shortened URLs that link to malicious, or compromised Web pages,” Anstis said.

Some frightening statistics:

In May 2011, the global ratio of spam in email traffic from new and previously unknown bad sources increased by 2.9 percentage points since April 2011 to 75.8% (1 in 1.32 emails).
The global ratio of email-borne viruses in email traffic from new and previously unknown bad sources was one in 222.3 emails (0.450 percent) in May, a decrease of 0.143 percentage points since April. (From Net-security.org)

So, what can you do to protect yourself? For one, never click on an email link if you do not trust the sender. Two, even if you do trust the sender, try to get to the link organically, meaning follow the normal method. If you are checking on a shipment, go through the main website instead of clicking on the link. These simple tricks will help to keep your computer and information safe from hackers.

Author Bio

This Guest post is by Christine Kane from internet service providers. She is a graduate of Communication and Journalism. She enjoys writing about a wide-variety of subjects for different blogs. She can be reached via email at: Christi.Kane00 @ gmail.com.

Update:

Here’s a super tip from anarchy4ever – “Some people may call me paranoid but I NEVER click on shortened url links. People should use url enlarger sites such as this one:
http://url-enlarger.appspot.com/

Just a personal observation – anarchy4ever is far from being paranoid – sounds like a very sensible solution.

Aldi Bot – Build A Botnet For $15!

Psst – wanna build a Botnet – one that can launch a DDoS attack, steal passwords saved in Firefox, steal passwords for Pidgin, remotely execute any file, or use a victim’s computer as a proxy?

No big deal if you haven’t a clue when it comes to the intricacies of coding, or programming – doesn’t matter if you don’t have any hacking skills – if you’ve got just €10 (about $15) to spare, you can buy Aldi Bot …..

Screen shot published by the malware creator.

…. and, create your very own Botnet. Of course, you’ll need the underground forum addresses where this sly tool is available (no, you won’t get those here).

In an over the edge example of “let’s see how far I can push the envelope” – the kiddie script creator will provide hands on installation instruction for those who need it. According to researchers at GData, who discovered Aldi Bot –

“Chat logs, posted by the malware author, reveal that he actually provides personal assistance for the installation and implementation of the bots, even to malware rookies, so-called noobs, who do not have the slightest idea of how to work with the malicious tools. He even uses TeamViewer to make his customers happy and ready to attack.”

Aldi Bot in action.

In case you might think that this type of do-it-yourself malware creation kit is a new or an unusual phenomenon; it isn’t. Downloadable malicious programs, like this, have been available for some time. Examples of DIY malware kits we’ve covered here in the past, include –

Facebook Hacker

T2W – Trojan 2 Worm (Constructor/Wormer)

Constructor/YTFakeCreator

BitTera.C

I find it discouraging that wannabe cyber crooks, whose technical skills never got past the thumb-texting stage, have such ready access to such powerful malware creation tools. A rather sad reflection on the lack of resources available to the law enforcement community.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

“Swatting” – Are You A Potential Victim?

In both Canada and the United States, calling 911 (999 in the UK), will put the caller in contact with emergency services including – Police – Fire – Ambulance. In fact, where I live, all these services are dispatched in response to a 911 call.

Luckily, even if the call is interrupted, emergency personnel with access to Automatic Number Identification, coupled with an Automatic Location Identification (ALI) database, can still dispatch emergency response units to the location generated by the system.

In other words, the location from which the emergency call originated is known, and not subject to mistake. Or is it?

Imagine opening your front door – only to be greeted by this.

Not very likely to happen to you, you’re thinking. Perhaps not – but it does happen to innocent victims and, more to the point, it’s happening with increased frequency. The culprits?  Evil lowlifes who misuse call spoofing technology.

Phone phreaking has a long history – those of us who’ve been around since the 1970s should remember these hackers and their free long-distance calls hacks. Fast forward to today, and what was once a victimless crime (though not entirely so), has taken on ominous overtones.

Call spoofing (showing a phone number in caller ID, other than the real originating number) in it’s most vicious form – “swatting” – can have potentially lethal consequences. The twisted idea behind swatting is – faking an emergency of such a magnitude that the response from law enforcement is the deployment of a  SWAT team to the location generated by the spoofed phone number.

You can well imagine the chaos such an incidence is sure to cause.

From the FBI website:

Needless to say, these calls are dangerous to first responders and to the victims. The callers often tell tales of hostages about to be executed or bombs about to go off. The community is placed in danger as responders rush to the scene, taking them away from real emergencies. And the officers are placed in danger as unsuspecting residents may try to defend themselves.

I must admit; I’ve been completely out of the loop on this one and, until I read the following two newspaper stories this past week, I had no idea of the potential danger.

Toronto man ‘swatted’ by hacker who summoned police

Hacker’s swatting attack calls police to Langley home

Why did they do it?

According to FBI Assistant Special Agent in Charge Kevin Kolbye:

Individuals did it for the bragging rights and ego, versus any monetary gain. Basically, they did it because they could.

It’s not my intention, in this article, to describe just how easily a phone number can be spoofed – but, I was hardly surprised to see roughly 2 Million Google search results covering this.

It’s an unfortunate fact that laws impacting technology issues are seemingly destined to always be in catch up mode. In my view though, this perversion should be addressed with some senses of urgency.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.