Short-URL services have emerged as a crucial part of the way we use the Internet. With the increasing use of social media, where the number of characters is limited, short-URL services are a useful tool for reducing a URL’s length. However, this convenience also comes with a potential risk. The anonymity provided by these services can serve as a breeding ground for online threats. This article delves deeper into the potential risks associated with using short-URL services and how you can safeguard yourself from these threats.

What are Short-URL Services?

Short-URL services are online tools that convert a long URL into a short one. These services are often free and easy to use: you simply enter the long URL you wish to shorten and the service will generate a short URL for you. This can be particularly handy for social media platforms such as Twitter, where character limits can make sharing long URLS impractical.

The short URL does not provide any clues about the destination website – it is a random mix of letters and numbers. This lack of transparency can make it difficult for users to determine the legitimacy of the link before clicking it. Consequently, this has opened a pandora’s box for cyber threats, as ill-intentioned individuals can hide malicious links behind these short URLs.

The Hidden Threats of Short-URL Services

While the brevity provided by short-URL services is a practical solution in the age of character-limited social media posts, it’s important to understand the accompanying risks. With the shortened URL, the original URL is hidden, which can make it challenging for users to discern whether the link is safe or not. This very feature is exploited by cybercriminals who mask malicious sites with short URLs, intending to trick users into visiting harmful web pages.

Phishing attacks, malware, and other types of online fraud can be hidden behind short URLs. Usually, these URLs are distributed via emails, social media, and instant messaging applications. Once clicked, these malicious links can infect a user’s device with malware or lead them to fake websites where sensitive information is collected. This manipulative tactic is known as ‘spoofing’.

→ Dig Deeper: New Malicious Clicker found in apps installed by 20M+ users

Increased Vulnerability with Short-URL Services

The practice of using short URLs has brought about an increased level of vulnerability in cyberspace. Certain security features that help in identifying a malicious website, such as examining the URL structure or the SSL certificate, are effectively nullified by the use of short URLs. As a result, even experienced internet users can fall prey to these malicious tactics. This marks a significant shift in traditional cybersecurity threats, where the danger is now hidden behind the veil of convenience.

→ Dig Deeper: “This Connection Is Not Private” – What it Means and How to Protect Your Privacy

Even more concerning is the fact that once a short URL is generated, it remains active indefinitely. This means a malicious link can continue to exist and pose a threat long after the original malicious activity has been detected and dealt with. Given the scale at which these short URLs are generated and shared across various digital platforms, the potential for harm is vast and hard to contain. 

The Role of URL Shortening Services in Cybercrime

Given the opacity provided by short-URL services, they have become a popular tool among cybercriminals. A report by the cybersecurity firm Symantec found that 87% of the malicious URLs used in massive cyber-attacks were actually short URLs. This stark statistic illustrates the size of the problem at hand and the urgent need for adequate measures to tackle it.

Short URLs are like a wolf in sheep’s clothing. They appear harmless, but the reality could be contrary. Without the ability to inspect the actual URL, users can unknowingly fall into a trap set by online fraudsters. The success of these threats relies heavily on the victim’s ignorance and the inability to determine the authenticity of the link they are clicking on. 

Case Studies of Cyber Threats Involving Short URLs

To fully comprehend the risks associated with short URLs, let’s examine a few real-life cases where short URLs were used to spread cyber threats. In one instance, a malicious short URL was used to propagate a Facebook scam that promised users a free gift card if they clicked on the link. Instead of a gift card, the link led users to a phishing site designed to steal personal information.

→ Dig Deeper: Don’t Take a Bite out of that Apple Gift Card Scam

In another instance, an email campaign used a short URL to spread the notorious Locky ransomware. The email contained an invoice with a short URL, which when clicked, downloaded the ransomware onto the user’s device. These two cases underscore the severe risks associated with short URLs and highlight the importance of exercising caution when dealing with such links.

How to Safeguard Against Threats Hidden in Short URLs

While the threats presented by short URLs are real and potentially damaging, internet users are not entirely helpless against them. There are certain measures that can be taken to avoid falling victim to these threats. Below are some of the ways to ensure safe browsing habits:

Firstly, be wary of any strange or unexpected links, even if they come from trusted sources. Cybercriminals often disguise malicious links to appear as though they are from trusted sources, in a tactic known as ‘spoofing’. However, if an email or a message seems out of character or too good to be true, it’s best to avoid clicking on the link.

Secondly, consider using URL expansion services. These services allow you to enter a shortened URL and then reveal the full URL, enabling you to see where the link will take you before you click on it. This can provide an added layer of security when dealing with unfamiliar links.

Finally, keep your devices and internet security software up to date. This is a simple but effective measure against all forms of online threats, including those hidden in short URLs. By regularly updating your devices and software, you can ensure you have the most recent security patches and protections available.

McAfee Pro Tip: Enhance your online safety and privacy by employing a secure browser. A safe browser incorporates additional security features designed to thwart unauthorized third-party activities during your web surfing sessions. Know more about safe browsing.

Role of Institutions in Mitigating Threats

While individual users can take steps to protect themselves, institutions also have a role to play in mitigating the threats associated with short URLs. Social media platforms, email providers and companies should all be invested in protecting their users from cyber threats. Implementing stricter URL policies, improving spam filters, and educating users about potential dangers can all help in reducing the risk.

Internet service providers can also have a hand in safeguarding users. For instance, they could monitor and block suspicious short URLs, or provide warnings to users about potential threats. While these measures may not completely eliminate the risk, they can greatly reduce the chances of users falling victim to cyber threats.

Moreover, there’s a growing need for regulatory policies around the usage and creation of short URLs. Instituting thorough checks before a short URL is generated could help in curbing the misuse of these services. Such checks could include verifying the authenticity of the original URL and scanning for potential threats.

Final Thoughts

Short-URL services undeniably offer a degree of convenience in this age of Twitter-length posts and character-limited updates. However, the potential threats that lurk behind these shortened links cannot be overlooked. Users and institutions need to balance the benefits of these services with the risks, and take appropriate measures to safeguard against potential threats.

While we cannot completely eliminate the risks associated with short URLs, by staying informed, exercising caution, and using tools and resources at our disposal, we can significantly reduce our vulnerability to these threats. In the end, it’s about promoting a safer Internet experience for everyone, where convenience doesn’t come at the cost of security.

Stay informed about the latest online threats plaguing the community today. Explore the insights provided by McAfee to arm yourself with the knowledge needed to protect against evolving cybersecurity challenges.

The post Short-URL Services May Hide Threats appeared first on McAfee Blog.

Recent Internet attacks have caused several popular sites to become unreachable. These include Twitter, Etsy, Spotify, Airbnb, Github, and The New York Times. These incidents have highlighted a new threat to online services: botnets powered by the Internet of Things (IoT). Distributed denial of service (DDoS) attacks have been around for over a decade and, for the most part, have been handled by network providers’ security services. However, the landscape is changing.

The primary strategy in these attacks is to control a number of devices which then simultaneously flood a destination with network requests. The target becomes overloaded and legitimate requests cannot be processed. Traditional network filters typically handle this by recognizing and blocking systems exhibiting this malicious behavior. However, when thousands of systems mount an attack, these traditional filters fail to differentiate between legitimate and malicious traffic, causing system availability to crumble.

Cybercriminals, Hacktivists, and IoT

Cybercriminals and hacktivists have found a new weapon in this war: the IoT. Billions of IoT devices exist, ranging in size from a piece of jewelry to a tractor. These devices all have one thing in common: they connect to the internet. While this connection offers tremendous benefits, such as allowing users to monitor their homes or check the contents of their refrigerators remotely, it also presents a significant risk. For hackers, each IoT device represents a potential recruit for their bot armies.

A recent attack against a major DNS provider shed light on this vulnerability. Botnets containing tens or hundreds of thousands of hijacked IoT devices have the potential to bring down significant sections of the internet. Over the coming months, we’ll likely discover just how formidable a threat these devices pose. For now, let’s dig into the key aspects of recent IoT DDoS attacks.

5 Key Points to Understand

The proliferation of Internet of Things (IoT) devices has ushered in a new era of digital convenience, but it has also opened the floodgates to a range of cybersecurity concerns. To navigate the complexities of this digital landscape, it’s essential to grasp five key points:

1. Insecure IoT devices pose new risks to everyone

Each device that can be hacked is a potential soldier for a botnet army, which could be used to disrupt essential parts of the internet. Such attacks can interfere with your favorite sites for streaming, socializing, shopping, healthcare, education, banking, and more. They have the potential to undermine the very foundations of our digital society. This underscores the need for proactive measures to protect our digital way of life and ensure the continued availability of essential services that have become integral to modern living. 

→Dig Deeper: How Valuable Is Your Health Care Data?

2. IoT devices are coveted by hackers

Hackers will fight to retain control over them. Though the malware used in the Mirai botnets is simple, it will evolve as quickly as necessary to allow attackers to maintain control. IoT devices are significantly valuable to hackers as they can enact devastating DDoS attacks with minimal effort. As we embrace the convenience of IoT, we must also grapple with the responsibility of securing these devices to maintain the integrity and resilience of our increasingly digitized way of life.

3. DDoS Attacks from IoT Devices Are Intense and Difficult to Defend Against

Identifying and mitigating attacks from a handful of systems is manageable. However, when tens or hundreds of thousands of devices are involved, it becomes nearly impossible. The resources required to defend against such an attack are immense and expensive. For instance, a recent attack that aimed to incapacitate Brian Krebs’ security-reporting site led to Akamai’s Vice President of Web Security stating that if such attacks were sustained, they could easily cost millions in cybersecurity services to keep the site available. Attackers are unlikely to give up these always-connected devices that are ideal for forming powerful DDoS botnets.

There’s been speculation that nation-states are behind some of these attacks, but this is highly unlikely. The authors of Mirai, a prominent botnet, willingly released their code to the public, something a governmental organization would almost certainly not do. However, it’s plausible that after observing the power of IoT botnets, nation-states are developing similar strategies—ones with even more advanced capabilities. In the short term, however, cybercriminals and hacktivists will continue to be the primary drivers of these attacks.

→ Dig Deeper: Mirai Botnet Creates Army of IoT Orcs

4. Cybercriminals and Hacktivists Are the Main Perpetrators

In the coming months, it’s expected that criminals will discover ways to profit from these attacks, such as through extortion. The authors of Mirai voluntarily released their code to the public—an action unlikely from a government-backed team. However, the effectiveness of IoT botnets hasn’t gone unnoticed, and it’s a good bet that nation-states are already working on similar strategies but with significantly more advanced capabilities.

Over time, expect cybercriminals and hacktivists to remain the main culprits behind these attacks. In the immediate future, these groups will continue to exploit insecure IoT devices to enact devastating DDoS attacks, constantly evolving their methods to stay ahead of defenses.

→ Dig Deeper: Hacktivists Turn to Phishing to Fund Their Causes

5. It Will Likely Get Worse Before It Gets Better

Unfortunately, the majority of IoT devices lack robust security defenses. The devices currently being targeted are the most vulnerable, many of which have default passwords easily accessible online. Unless the owner changes the default password, hackers can quickly and easily gain control of these devices. With each device they compromise, they gain another soldier for their botnet.

To improve this situation, several factors must be addressed. Devices must be designed with security at the forefront; they must be configured correctly and continuously managed to keep their security up-to-date. This will require both technical advancements and behavioral changes to stay in line with the evolving tactics of hackers.

McAfee Pro Tip: Software updates not only enhance security but also bring new features, better compatibility, stability improvements, and feature removal. While frequent update reminders can be bothersome, they ultimately enhance the user experience, ensuring you make the most of your technology. Know more about the importance of software updates.

Final Thoughts

Securing IoT devices is now a critical issue for everyone. The sheer number of IoT devices, combined with their vulnerability, provides cybercriminals and hacktivists with a vast pool of resources to fuel potent DDoS campaigns. We are just beginning to observe the attacks and issues surrounding IoT security. Until the implementation of comprehensive controls and responsible behaviors becomes commonplace, we will continue to face these challenges. By understanding these issues, we take the first steps toward a more secure future.

Take more steps with McAfee to secure your digital future. Explore our security solutions or read our cybersecurity blogs and reports.

The post Top 5 Things to Know About Recent IoT Attacks appeared first on McAfee Blog.

Authored by Dexter Shin 

McAfee’s Mobile Research Team introduced a new Android malware targeting Instagram users who want to increase their followers or likes in the last post. As we researched more about this threat, we found another malware type that uses different technical methods to steal user’s credentials. The target is users who are not satisfied with the default functions provided by Instagram. Various Instagram modification application already exists for those users on the Internet. The new malware we found pretends to be a popular mod app and steals Instagram credentials. 

Behavior analysis 

Instander is one of the famous Instagram modification applications available for Android devices to help Instagram users access extra helpful features. The mod app supports uploading high-quality images and downloading posted photos and videos. 

The initial screens of this malware and Instander are similar, as shown below. 

Figure 1. Instander legitimate app(Left) and Mmalware(Right) 

Next, this malware requests an account (username or email) and password. Finally, this malware displays an error message regardless of whether the login information is correct. 

Figure 2. Malware requests account and password 

The malware steals the user’s username and password in a very unique way. The main trick is to use the Firebase API. First, the user input value is combined with [email protected]. This value and static password(=kamalw20051) are then sent via the Firebase API, createUserWithEmailAndPassword. And next, the password process is the same. After receiving the user’s account and password input, this malware will request it twice. 

Since we cannot see the dashboard of the malware author, we tested it using the same API. As a result, we checked the user input value in plain text on the dashboard. 

According to the Firebase document, createUserWithEmailAndPassword API is to create a new user account associated with the specified email address and password. Because the first parameter is defined as email patterns, the malware author uses the above code to create email patterns regardless of user input values. 

It is an API for creating accounts in the Firebase so that the administrator can check the account name in the Firebase dashboard. The victim’s account and password have been requested as Firebase account name, so it should be seen as plain text without hashing or masking. 

Network traffic 

As an interesting point on the network traffic of the malware, this malware communicates with the Firebase server in Protobuf format in the network. The initial configuration of this Firebase API uses the JSON format. Although the Protobuf format is readable enough, it can be assumed that this malware author intentionally attempts to obfuscate the network traffic through the additional settings. Also, the domain used for data transfer(=www.googleapis.com) is managed by Google. Because it is a domain that is too common and not dangerous, many network filtering and firewall solutions do not detect it. 

Conclusion 

As mentioned, users should always be careful about installing 3rd party apps. Aside from the types of malware we’ve introduced so far, attackers are trying to steal users’ credentials in a variety of ways. Therefore, you should employ security software on your mobile devices and always keep up to date. 

Fortunately, McAfee Mobile Security is able to detect this as Android/InstaStealer and protect you from similar threats. For more information visit  McAfee Mobile Security 

Indicators of Compromise 

SHA256: 

• 238a040fc53ba1f27c77943be88167d23ed502495fd83f501004356efdc22a39 

The post Instagram credentials Stealer: Disguised as Mod App appeared first on McAfee Blog.

Authored by Jyothi Naveen and Kiran Raj

McAfee Labs have been observing a spike in phishing campaigns that utilize Microsoft office macro capabilities. These malicious documents reach victims via mass spam E-mail campaigns and generally invoke urgency, fear, or similar emotions, leading unsuspecting users to promptly open them. The purpose of these spam operations is to deliver malicious payloads to as many people as possible.

A recent spam campaign was using malicious word documents to download and execute the Ursnif trojan. Ursnif is a high-risk trojan designed to record various sensitive information. It typically archives this sensitive data and sends it back to a command-and-control server.

This blog describes how attackers use document properties and a few other techniques to download and execute the Ursnif trojan.

Threat Summary

• The initial attack vector is a phishing email with a Microsoft Word document attachment.
• Upon opening the document, VBA executes a malicious shellcode
• Shellcode downloads the remote payload, Ursnif, and invokes rundll32.exe to execute it.

Infection Chain

The malware arrives through a phishing email containing a Microsoft Word document as an attachment. When the document is opened and macros are enabled, Word downloads a DLL (Ursnif payload). The Ursnif payload is then executed using rundll32.exe

Word Analysis

Macros are disabled by default and the malware authors are aware of this and hence present an image to entice the victims into enabling them.

VBA Macro Analysis of Word Document

Analyzing the sample statically with ‘oleId’ and ‘olevba’ indicates the suspicious vectors..

The VBA Macro is compatible with x32 and x64 architectures and is highly obfuscated as seen in Figure-5

To get a better understanding of the functionality, we have de-obfuscated the contents in the 2 figures shown below.

An interesting characteristic of this sample is that some of the strings like CLSID, URL for downloading Ursnif, and environment variables names are stored in custom document properties in reverse. As shown in Figure-7, VBA function “ActiveDocument.CustomDocumentProperties()” is used to retrieve the properties and uses “StrReverse” to reverse the contents. 

We can see the document properties in Figure-8  

Payload Download and Execution: 

The malicious macro retrieves hidden shellcode from a custom property named “Company” using the “cdec” function that converts the shellcode from string to decimal/hex value and executes it. The shellcode is shown below. 

The shellcode is written to memory and the access protection is changed to PAGE_EXECUTE_READWRITE. 

After adding the shellcode in memory, the environment variable containing the malicious URL of Ursnif payload is created. This Environment variable will be later used by the shellcode. 

The shellcode is executed with the use of the SetTimer API. SetTimer creates a timer with the specified time-out value mentioned and notifies a function when the time is elapsed. The 4th parameter used to call SetTimer is the pointer to the shellcode in memory which will be invoked when the mentioned time is elapsed. 

The shellcode downloads the file from the URL stored in the environmental variable and stores it as ” y9C4A.tmp.dll ” and executes it with rundll32.exe. 

URL	hxxp://docmasterpassb.top/kdv/x7t1QUUADWPEIQyxM6DT3vtrornV4uJcP4GvD9vM/
CMD	rundll32 “C:\Users\user\AppData\Local\Temp\y9C4A.tmp.dll”,DllRegisterServer

After successful execution of the shellcode, the environment variable is removed. 

IOC 

TYPE	VALUE	PRODUCT	DETECTION NAME
Main Word Document	6cf97570d317b42ef8bfd4ee4df21d217d5f27b73ff236049d70c37c5337909f	McAfee LiveSafe and Total Protection	X97M/Downloader.CJG
Downloaded dll	41ae907a2bb73794bb2cff40b429e62305847a3e1a95f188b596f1cf925c4547	McAfee LiveSafe and Total Protection	Ursnif-FULJ
URL to download dll	hxxp://docmasterpassb.top/kdv/x7t1QUUADWPEIQyxM6DT3vtrornV4uJcP4GvD9vM/	WebAdvisor	Blocked

MITRE Attack Framework 

Technique ID	Tactic	Technique Details	Description
T1566.001	Initial Access	Spear phishing Attachment	Manual execution by user
T1059.005	Execution	Visual Basic	Malicious VBA macros
T1218.011	Defense Evasion	Signed binary abuse	Rundll32.exe is used
T1027	Defense Evasion	Obfuscation techniques	VBA and powershell base64 executions
T1086	Execution	Powershell execution	PowerShell command abuse

 Conclusion 

Macros are disabled by default in Microsoft Office applications, we suggest keeping it that way unless the document is received from a trusted source. The infection chain discussed in the blog is not limited to Word or Excel. Further threats may use other live-off-the-land tools to download its payloads.  

McAfee customers are protected against the malicious files and sites detailed in this blog with McAfee LiveSafe/Total Protection and McAfee Web Advisor. 

The post Phishing Campaigns featuring Ursnif Trojan on the Rise appeared first on McAfee Blog.