Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Brevity is the gateway to malware, and shortened URLs continue to obfuscate malicious destinations.
After reports that thousands of .us domains have been scooped up and associated with a malicious link-shortening service “that facilitates malware and phishing scams,” according to Krebs on Security, IT pros who spoke with IT Brew acknowledged that solving the tiny-URL problem is no small task. Network managers can’t just shut one door and block them all.
“We see malicious actors change domains on a 24-hour basis; they use a domain for one day, they switch domains every other day. So it’s kind of hard to keep up with that,” Jonathan Broche, director of penetration testing at MorganFranklin Consulting, told IT Brew.
Threat actors who send a shortened URL over text, email, social media, or other communication channels can redirect users to phishing sites or locations that serve up information-stealers or other varieties of nasty code.
A selective swat of sites is an easy enough fix with today’s web filters and firewalls—except if there are thousands of .us domains being picked up by a phish-friendly URL-shortening service, which was just what network-security company Infoblox and Krebs on Security detailed on Halloween.
A group known as Prolific Puma used a registered domain generation algorithm, or RDGA, which allows users to create many addresses at once. The Puma crew then used the domains to provide link shorteners to other scammers and phishers looking to evade detection, according to the Infoblox report.
“The .us domain is often used for legitimate purposes, and also legitimate link shorteners. And that way you can’t just wholesale block .us,” Johannes Ullrich, dean of research at the SANS Technology Institute, told us.
Established mini-link providers like Bitly have forms for reporting abuse of the functionality. Many shortening sites, including Bitly and TinyURL, also have helpful preview functions that reveal the redirected destination.
Yet .us domain registrars have had a tricky time blocking bad actors. An August 2023 report from the Interisle Group said the .us top level domain, despite requirements that limit registrations to “parties with a national connection,” has “had very high numbers of phishing domains,” adding, “This indicates a possible problem with the administration or application of the nexus requirements.”
As domain registrars face challenges when verifying the identity behind the destinations and firewall managers face the trouble of not being able to block all the last of .us, a big defender in the fight will be the suspicious end-user.
“It really boils down to training your users to not click on emails that they’re not expecting, and not opening attachments from people they don’t trust,” Broche said.
That kind of instruction, of course, is the shortened version.