At least two popular web browsers are using Google Safe Browsing to warn users about phishing sites and other malwares: Firefox and Chrome. Cybercriminals seems to be aware of the fact that users are getting the following warning screens from these browsers and thus avoid visiting the malicious site:

Since cybercriminals have figured this out, we’re starting to see some new and interesting techniques that can easily bypasses the Safe Browsing mechanism. One of them is using URL shortening and redirection services, such as TinyURL. TinyURL (www.tinyurl.com) is currently one of the most popular tools to create permanent short URLs for URLs which are too complicated to be sent by mail or to simply hide affiliate URLs.

How does that work?

Let’s examine the following malicious URL: http://www.[REMOVED].com/Blog/index.htm. Testing this URL with Safe Browsing yields the “Reported Attack Site!” warning.

In order to bypass this warning message, the cybercriminal used TinyURL and got this new URL: http://tinyurl.com/6[REMOVED]8.  This is a much shorter URL and hides the actual malicious one.

Testing the new URL with Safe Browsing yields that this site is not listed as suspicious, as there are thousands of other URLs created with the shortening service, which aren’t malicious.

Simply put, the technique is using the fact that Safe Browsing is ranking sites only at the domain level, so using a domain which will always be ranked as non-malicious ensures that the infected page will not be warned about.

For comparison, popular URL categorization engines categorized TinyURL as “Computing and Internet”, “Search Engines / Web Catalogs / Portals” and “Software / Hardware / Distributors”, while the real malicious URL was categorized as “Other”. So it is clear that Google Safe Browsing has a slight edge when queried about the malicious URL, but all engines agree that TInyURL is benign.

As mentioned above, TinyURL isn’t the only URL shortening service available. Other services include bit.ly, w3t.org and is.gd, among others. Also, TinyURL is not the only service to be abused. During our research, we found the bit.ly was also used by the same cybercriminals.

As always, we notified TinyURL and bit.ly and the malicious links were removed.

Be aware when you click on those links next time you receive them. Make sure you have updated and adequate web protection in place!

Posted by Moshe Basanchig