In recent research conducted by Infoblox, security reporter Brian Krebs discovered that thousands of newly-registered domains within the top-level domain (TLD) for the United States, .US, are linked to a malicious link shortening service. This service is facilitating malware and phishing scams, making the .US domain a breeding ground for cybercriminal activity. Infoblox researchers have been tracking this three-year-old link shortening service, revealing its ties to phishers and malware purveyors. The alarming findings shed light on the prevalence of .US domains in phishing attacks and the abuse of bulletproof hosting providers.
Unveiling the Malicious Link Shortening Service:
The research conducted by Infoblox unraveled a disturbing network linked to phishers and malware distributors. Infoblox identified numerous .US domains that are typically three to seven characters long and primarily used for hosting phishing and malware landing pages. These condensed domains aim to obfuscate the real address of the landing pages, tricking users into divulging sensitive information or infecting their devices. By employing bulletproof hosting providers that turn a blind eye to abuse and legal complaints, cybercriminals can operate with minimal consequences.
Abuse of the Short Domains:
The domains associated with the malicious link shortening service do not host content themselves. Instead, they are utilized to hide the true intent of landing pages. Users are redirected through these short domains to phishing sites or pages that try to install malware. This strategy adds another layer of deception, making it harder for victims and authorities to identify and mitigate the harm caused. The cybercriminals behind this service rely on exploiting the trust and naivety of unsuspecting users.
Promotion and Propagation of Malware:
Infoblox researchers are yet to determine the exact tactics employed for the initial promotion of phishing and malware landing pages facilitated by this service. However, they suspect that SMS-based scams targeting mobile phone users play a significant role in spreading these malicious links. As mobile devices become increasingly intertwined with our daily lives, cybercriminals exploit this vulnerability to gain access to personal and financial information.
Unraveling the Link Shortening Service:
Infoblox’s investigation into the malicious link shortening service was possible due to their surveillance systems, which detect registrations utilizing domain name generation algorithms (DGA). Infoblox experts have not found any legitimate content served through the shorteners associated with this service. By analyzing the pseudo-random patterns of the short domains, Infoblox was able to map out the extent of this network, exposing its disturbing connections and content.
The Urgent Need for Intervention:
The rise of malicious link shortening services on the .US domain highlights the dire need for increased security measures and cooperation amongst various stakeholders. Bulletproof hosting providers need to be held accountable for their role in facilitating cybercrime. Additionally, mobile phone users should exercise caution when interacting with SMS messages from unknown sources to minimize the risks associated with phishing and malware attacks.
The discovery of a malicious link shortening service on .US domains serves as a wake-up call to the prevalence of cybercriminals exploiting TLDs for their malicious activities. The findings by Infoblox underscore the urgent necessity for collaboration between security researchers, law enforcement agencies, domain registrars, and hosting providers to create a safer online environment. By raising awareness about these threats, implementing robust security measures, and promoting responsible online behavior, we can diminish the impact of malware and phishing scams, ensuring a more secure digital future.