Analyzing Black Hat URL Shorteners

  • September 29, 2015

Hackers are known to use URL shortening services to obfuscate their real landing pages. It’s very effective in clickbait scams on social networks. Some hackers think that using URL shorteners in site injections makes it less likely to be flagged as malicious because authorities cannot simply blacklist a link from bitly.com or goo.gl, so we regularly find shortened URLs in .htaccess files and in src parameters of injected scripts and iframes.

This is an excerpt from a pharma spam cloaking script, found by my colleague Cesar Anjos on one compromised site.

if(@$is_human == false)
{
@include("export.php");
exit;
}
if(strpos($server_referer, 'baidu.') or strpos($server_referer, ' yandex.') or strpos($server_referer, 'aol.') or strpos($server_referer, 'yahoo.') or strpos($server_referer, 'bing.') or strpos($server_referer, 'google.'))
{
@header("Location: hxxp://tiny-link .org/sHxZMEw9JB");
exit;
}

Tiny Links .org

The script looks for human visitors who come from search engine results and redirects them to a Pharma spam site whose address is obfuscated using the tiny-link .org URL shortener.

I guess not many of you know the tiny-link . org service. The site itself has no information about who provides this service. At the time of writing, the website currently says “Sorry, service is currently not available. Please try again later.”

Black Hat Origins

If you Google the domain name, you will only find a lot of comment spam links that point to Pharma sites. It makes sense once you investigate the websites background information. The URL shortening website is hosted on the same servers (69.64.46.25 and 80.91.176.194) as Pharma sites like these:

goldenpharma24x7[.]com
brilliantmeds[.]com
hellopills[.]com
erameds[.]com
ultrapills24[.]com
onepills[.]com
buybetnovate.storemeds[.]net
etc

.

The VirusTotal pages help reveal the sister URL shortener sites that belong to the same people: s-links .org and shorto .net, plus an anonymous email service mailtemp .org.

Now it’s clear that these URL shorteners have been specifically created to be used in black hat SEO campaigns. Why? On one hand, the domains of such “pseudo-public” services are less likely to be blacklisted, and on the other hand, the shortened domains won’t be disabled after complaints, which is supposed to improve sustainability of their spam campaigns.

Reputation Matters

While the services themselves are not malicious, it’s really not a good idea to use them if you need a URL shortener:

  • They look more suspicious than links from popular services.
  • They don’t provide additional services for you and other users (malware protection, statistics, URL details, etc.)
  • The services may disappear any time and your shortened links will stop working.
  • Since the services are associated with hackers, your shortened URLs may occasionally start serving malware instead of redirecting to your web pages.

Given all this, it is always a good idea to choose only reputable URL shortening services.

Denis Sinegubko is Sucuri’s Senior Malware Researcher who joined the company in 2013. Denis' main responsibilities include researching emerging threats and creating signatures for SiteCheck. The founder of UnmaskParasites, his professional experience covers over 20 years of programming and information security. When Denis isn’t analyzing malware, you might not find him online at all. Connect with him on Twitter.

Related Tags
Related Categories
You May Also Like