• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login

Analyzing Black Hat URL Shorteners

September 29, 2015Denis Sinegubko

46
SHARES
FacebookTwitterSubscribe

Hackers are known to use URL shortening services to obfuscate their real landing pages. It’s very effective in clickbait scams on social networks. Some hackers think that using URL shorteners in site injections makes it less likely to be flagged as malicious because authorities cannot simply blacklist a link from bitly.com or goo.gl, so we regularly find shortened URLs in .htaccess files and in src parameters of injected scripts and iframes.

This is an excerpt from a pharma spam cloaking script, found by my colleague Cesar Anjos on one compromised site.

if(@$is_human == false)
{
@include("export.php");
exit;
}
if(strpos($server_referer, 'baidu.') or strpos($server_referer, ' yandex.') or strpos($server_referer, 'aol.') or strpos($server_referer, 'yahoo.') or strpos($server_referer, 'bing.') or strpos($server_referer, 'google.'))
{
@header("Location: hxxp://tiny-link .org/sHxZMEw9JB");
exit;
}

Tiny Links .org

The script looks for human visitors who come from search engine results and redirects them to a Pharma spam site whose address is obfuscated using the tiny-link .org URL shortener.

I guess not many of you know the tiny-link . org service. The site itself has no information about who provides this service. At the time of writing, the website currently says “Sorry, service is currently not available. Please try again later.”

Black Hat Origins

If you Google the domain name, you will only find a lot of comment spam links that point to Pharma sites. It makes sense once you investigate the websites background information. The URL shortening website is hosted on the same servers (69.64.46.25 and 80.91.176.194) as Pharma sites like these:

goldenpharma24x7[.]com
brilliantmeds[.]com
hellopills[.]com
erameds[.]com
ultrapills24[.]com
onepills[.]com
buybetnovate.storemeds[.]net
etc

.

The VirusTotal pages help reveal the sister URL shortener sites that belong to the same people: s-links .org and shorto .net, plus an anonymous email service mailtemp .org.

Now it’s clear that these URL shorteners have been specifically created to be used in black hat SEO campaigns. Why? On one hand, the domains of such “pseudo-public” services are less likely to be blacklisted, and on the other hand, the shortened domains won’t be disabled after complaints, which is supposed to improve sustainability of their spam campaigns.

Reputation Matters

While the services themselves are not malicious, it’s really not a good idea to use them if you need a URL shortener:

  • They look more suspicious than links from popular services.
  • They don’t provide additional services for you and other users (malware protection, statistics, URL details, etc.)
  • The services may disappear any time and your shortened links will stop working.
  • Since the services are associated with hackers, your shortened URLs may occasionally start serving malware instead of redirecting to your web pages.

Given all this, it is always a good idea to choose only reputable URL shortening services.

46
SHARES
FacebookTwitterSubscribe

Categories: Website SecurityTags: SEO Spam, URL Shorteners

About Denis Sinegubko

Denis Sinegubko is Sucuri’s Senior Malware Researcher who joined the company in 2013. Denis' main responsibilities include researching emerging threats and creating signatures for SiteCheck. The founder of UnmaskParasites, his professional experience covers over 20 years of programming and information security. When Denis isn’t analyzing malware, you might not find him not online at all. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

2019 Threat Report

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.