<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p>Shortened URLs are like an express train for cyber attackers to your sensitive data. We all know phishing tactics, and spear phishing ones in particular, have become more evasive over time, weakening a victim's ability to recognize if they are being targeted. With shortened URLs - the problem becomes even worse. <a href="https://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/" rel="noopener">WeLiveSecurity</a> have recently uncovered a mobile malware and spam campaign using shortened URLs to infect victims.</p> <p><!--more-->Text messages are meant to be short and sweet, leaving no room for a lengthy URL. Heck, just taking a quick look at my recent SMS history shows that both my mobile network provider, parking payment service and neighborhood grocery store use <a href="https://bitly.com/" rel="noopener" target="_blank">bitly</a> shortened URLs instead of linking their website directly. When a user clicks on a shortened URL, the traffic is then redirected to the original URL's location. In the mobile malware campaign mentioned above, malicious shortened links sent victims to unwanted internet addresses, then prompting them with a variety of scams.</p> <p><img src="https://www.welivesecurity.com/wp-content/uploads/2021/07/Figure-2.-Malware-distribution-process-1024x668.jpg" loading="lazy" width="590" style="width: 590px; margin-left: auto; margin-right: auto; display: block;" alt="infection_vectors"></p> <p style="text-align: center; font-size: 12px;"><span style="font-size: 14px;"><em>Infection consequences on the different operating systems. Image: WeLiveSecurity</em></span></p> <p style="text-align: center; font-size: 16px;">Each operating system has been targeted with different attack outcomes in this campaign, aside from malvertising which floods victims with any OS with unwanted ads. iOS targets that clicked on the shortened link had their calendars spammed with tons of fake events, leading the victim to think their phone has been infected with malware and they "must click on a link to remove it" (obviously leading to more malicious downloads). On the other side of the mobile OS kingdom, calendars may have been spared, but Android users had the most dangerous consequences of all if they accidentally fell for a malicious shortened link. The websites they were sent to prompted the victims to download a malicious application, which led to the download of various banking trojans such as Cerberus, Ginp, and Teabot.</p> <h5 style="font-size: 18px; text-align: left;">&nbsp;</h5> <h5 style="font-size: 18px; text-align: left;">Block the referrals - prevent the infection</h5> <p>Behavior-based security solutions are nice, but aside from being way too expensive, they often let malware enter right through your network gates. Utilizing DNS RPZ technology, you can block malicious referrals right at the gateway. Automatically updated blocklists on your organization's DNS with the latest threat intelligence will barre communication with evil domains, even if someone on the network innocently clicks on a shortened malicious URL. Another layer of defense is activated once the C2 servers are also included in your blocklists, ensuring that they cannot communicate with your network either [see C2 IOC list below].</p> <p><span><a href="http://threatstop.com/solutions/threatstop-dns-firewall-overview" rel="noopener">ThreatSTOP's DNS Defense</a> turns existing and future DNS systems into Protective DNS (PDNS). Using continuous updates from 900+ Threat Intelligence sources, DNS Defense stops dangerous and unwanted DNS traffic before damage is done.</span></p> <p>Add in predictive feedback loops and customer-specific block and allow lists, and you have ThreatSTOP's highly adaptive DNS protection. There is no new equipment to buy, or threat intelligence sources to tap into - ThreatSTOP provides the data, the integrations, and the automation to keep your DNS systems tuned for the newest threats.</p> <p>&nbsp;</p> <p>If you are a ThreatSTOP customer, you are protected from the IOCs of this campaign. If you are not (yet) our customer, we suggest you immediately implement blocking its control and command servers:</p> <h5 style="font-size: 18px; text-align: center;">C2 Domains</h5> <table width="364" style="border-collapse: collapse; table-layout: fixed; margin-left: auto; margin-right: auto; border: 1px solid #99acc2; width: 476px; height: 196px;" height="189"> <tbody> <tr style="height: 39px;"> <td style="width: 156px; height: 39px;">mmunitedaw[.]info</td> <td style="width: 161px; height: 39px;">rycovernmen[.]club</td> <td style="width: 159px; height: 39px;">emanalyst[.]biz</td> </tr> <tr style="height: 39px;"> <td style="width: 156px; height: 39px;">honeiwillre[.]biz</td> <td style="width: 161px; height: 39px;">ssedonthep[.]biz</td> <td style="width: 159px; height: 39px;">schemics[.]club</td> </tr> <tr style="height: 39px;"> <td style="width: 156px; height: 39px;">omeoneha[.]online</td> <td style="width: 161px; height: 39px;">fceptthis[.]biz</td> <td style="width: 159px; height: 39px;">oftongueid[.]online</td> </tr> <tr style="height: 39px;"> <td style="width: 156px; height: 39px;">ommunite[.]top</td> <td style="width: 161px; height: 39px;">eaconhop[.]online</td> <td style="width: 159px; height: 39px;">offeranda[.]biz</td> </tr> <tr style="height: 39px;"> <td style="width: 156px; height: 39px;">sityinition[.]top</td> <td style="width: 161px; height: 39px;">fjobiwouldli[.]biz</td> <td style="width: 159px; height: 39px;">ransociatelyf[.]info</td> </tr> </tbody> </table> <p style="font-size: 12px;">&nbsp;</p> <p>&nbsp;</p> <p style="font-weight: bold;"><em>Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?</em></p> <p></p> <p></p></span>