Link Shortening Services for Credential Harvesting pmiquel June 18, 2024

Link Shortening Services for Credential Harvesting

Earlier this month, our expert team acted against a bad actor. This person used link shortening services to hide a phishing page link that pretended to be one of our financial institution customers.

The destination was a sign-in webpage that showed harmful content. It included our customer’s logo and login fields. They did this to steal the online banking credentials of the institution’s customers.

What’s interesting in this case is that scammers did not use popular URLs or link shortening services like Bit.ly or TinyURL. Instead, they used special link shorteners made for scams or created their own.

BAD ACTORS IN ACTION

Shortened Phishing URLs Harvesting Banking Credentials

In this case, a fraudster targeted customers of this financial institution through SMS messages in May and June 2024.

Those messages included short links such as kn8[.]site/n/FHaFb and vt7[.]site/e/QyWyu.

So far, our team has helped take down five different domains used for link shortening in this campaign.

Link Shortening Services and Credential Harvesting Site Takedown

Initially, the domain registrar and reseller did not respond quickly to our takedown team’s requests. Once they replied, they stated that the domain names had deactivated. Unfortunately, despite these claims, our team confirmed that the URLs had remained accessible.

Our takedown services team contacted the Switzerland Federal Council National Cyber Security Centre (NCSC). In addition, they also reached out to the domain registry for .li. (Liechtenstein) and .ch

(Switzerland) country codes. Subsequently, after our team submitted reports to these organizations, the domain name system completely deactivated the credential harvesting sites. At this time, DNS records no longer exist for thforum-bo6visit[.]li or visi1-hnrs3[.]li.

URL Shorteners Used as Part of this Incident

Each of these three-character URL-shortening domains exhibited similar patterns:

• A domain registered with Hostinger

• Multiple domains registered on May 27, 2024, and updated on June 1, 2024

• Domains registered using a domain registration privacy service

• Followed a similar design template

• Websites lacked social media links

Upon further investigation, we found other link-shortening services with websites that used the same design template. Those domains are:

• shortener[.]space

• shorter[.]gg

• tli[.]su

As of June 17, 2024, tli[.]su has been added to blocklists by some Wi-Fi routers. Google Safe Browsing says, “Some pages on this site are unsafe.”

As of the same date, Google Safe Browsing classifies shortener.space and shorter[.]gg as “No unsafe content found.”

Last week Google Safe Browsing listed both tli[.]su and shorter[.]gg

However, some pages on this site are unsafe. They have harmful content. This includes pages that try to trick visitors. Be aware, that these pages may ask for personal information or try to get you to download software.

Each URL shortening service looks like another service found at amlink[.]pro. The Amlink site has a link to Ainka Media’s Facebook profile. It also has a link to Ainka Technology Solutions’ LinkedIn profile. Ainka Technology Solutions is a creative and software agency located in Vietnam.

The LinkedIn profile shows the company has 11-50 employees. Many individual profiles list Ainka as their employer. Ainka Technology Solutions also has a listing in Dun and Bradstreet’s Business Directory.

Abuse of Link Shortening Services

Bad actors have used URL shorteners to disguise malicious URLs for a long time.

Many popular link shortening services, like TinyURL, RadiumOne Po.st, Ow.ly, and Bitly, have safety controls. They use policies, abuse reporting forms, and link checkers to prevent misuse of their technology. Because such services have instituted controls to prevent malicious activity, fraudsters explore other options, including building link-shortening services.

“…cybercriminals will look for new solutions. Because they keep getting banned everywhere else, they will be the first users to find your new solution. And they will try their best to exploit it — and usually, a new project is easy to exploit because the founder hasn’t done all the anti-abuse work that mature solutions have.”

Developer of URL Shortening Service

Tips for Combating Phishing URL Shortening

Unquestionably, it is important to remember is that you cannot trust URL shortening services to check every shortened link. You should educate your employees and customers to approach shortened links cautiously and default to distrust. They can easily lead to credential harvesting pages, malware, and other dangerous content.

When you think about how your organization uses shortened links consider the message you are sending to your customers. You don’t want to train them to inadvertently click on potentially harmful links.

Whenever your marketing team needs to use shortened links, choose a service that lets you brand those links with your domain name. This helps keep trust and lowers the chance of confusing customers.

Fraudsters use short links to hide their scam pages deliberately. Sometimes, phishing content only shows up when you click on certain shortened links. This makes it hard to detect.

Expanding daily internet monitoring is important. This helps identify phishing pages, especially those behind shortened links. Catching these threats early can prevent people from becoming victims.

Related Articles