News Categories
(34)Malware (39)Malicious emails (11)Web 2.0 (24)Facebook (22)Social Networks (44)Spam (2)Defensio (1)Comment Spam (15)Phishing (9)Web spam (4)Click-jacking (38)Compromise (20)Analysis (38)Exploits (14)Research (3)Presentations (3)Conferences (4)security conference (9)Mass Injection (10)Rogue AV (4)Blackhat SEO (2)Neosploit (23)Targeted attacks (7)Video (14)Zeus (5)Microsoft (4)Monthly Reports (1)twitter (3)Google (18)Vulnerabilities (9)Adobe (12)Java (4)Mobile (4)Apple (1)hacked (1)TAB (1)Black Hat USA 2011 (1)Google+ (20)0-day (1)CVE-2010-2884 (1)CVE-2011-1255 (1)Worm (14)Blackhole exploit kit (1)Incognit Exploit kit (2)Tuesday Patch (6)APT (6)Typosquatting (3)Vulnerability Analysis (1)CVE-2011-3402 (4)Web Research (4)Predictions (3)Adult (5)News (3)Black Hat SEO (6)Data loss (8)Scam (1)QR codes (6)Twitter (1)CVE-2012-0003 (1)CVE-2011-3389 (1)CVE-2012-0004 (1)Phoenix Exploit Kit (1)CrimePack (3)Reverse Engineering (2)Captcha (1)Valentine's day (2)Kelihos (1)SC Magazine Award Winner (1)Wordpress (1)MS12-010 (1)CVE-2012-0002 (1)Infosec (2)CVE-2012-0507 (8)Toolkits (1)Skywiper (2)Flame (1)Flamer (2)Passwords (1)freedom of expression (1)censorship (2)Plugins (3)Malvertising (14)Exploit (1)CVE-2012-1723 (1)CSI (2)ThreatSeeker (2)Adventures in Spam (1)CVE-2012-4681 (1)LBS (2)RAT (1)module Apache/2 (1)Cyber Monday (1)Black Friday (1)Pastebin (4)CVE-2012-4792 (1)iPad (1)super bowl (1)iPhone (2)iOS (4)Spear Phishing (1)Threat Report (3)ThreatScope (1)Dynamic DNS (1)China (1)SSL (1)APT1 (2)DLP (3)Hack (1)CVE-2012-4969 (2)threat lifecycle (1)ThreatSeeker Network (1)ACE (10)exploit kit (1)blackhole (2)Black Hole (1)DNS poisoning (1)RedKit Exploit Kit (4)exploit kits (1)threat stages (1)Certificates (1)Topical (1)Waterhole (1)CVE-2013-2463 (1)Neutrino exploit kit (1)CVE-2013-2473 (1)CVE-2013-3893 (2)Collective Threat Intelligence (1)CVE-2013-3963 (1)Targeted Attack (3)Advanced Malware (1)CVE-2013-3897 (1)Tor (5)cyber-crime (1)Mevade (2)Ransomware (3)Social Engineering (1)CookieBomb (2)LinkedIn (1)CVE-2013-3906 (2)Pony (3)Cryptolocker (2)Upatre (1)application telemetry (1)meta-data (3)dr. watson (1)windows error reporting (1)big data (2)data theft prevention (1)DTP (1)telemetry (2)CVE-2014-0322 (2)MSIE 0-day (1)Deputy Dog (1)Ephemeral Hydra (1)CVE-2013-0074 (1)CVE-2013-3896 (1)Silverlight (2)crash reports (1)POS (1)anomaly detection (1)goon (4)angler (1)ru:8080 (1)magnitude (3)flash (1)CVE-2013-2465 (1)malicious iframes (1)FIESTA (1)Exploits Kit (1)iframe (3)CVE-2014-0160 (2)OpenSSL (3)Heartbleed (3)Citadel (2)CVE-2014-1776 (1)VGX.DLL (1)necrus (1)cutwail (2)gameover (3)vulnerability (3)zbot (1)control panel (1)carberp (1)zberp (1)Caphaw (2)Nuclear exploit kit (1)Shylock (1)Dragonfly (1)Zeus PIF (1)bitly (1)fraud (2)RIG Exploit Kit (1)POS malware (1)Point Of Sale Malware (1)Ukraine (1)Russia (1)Shellshock (1)CVE-2014-6271 (1)poodle (1)cve-2014-3566 (1)sslv3 (1)Ebola (1)CVE-2014-4114 (1)CPA (1)Regin (1)CVE-2015-0311 (1)CVE-2015-0235 (1)linux (1)GHOST (1)CVE-2015-0072 (1)Internet Explorer (1)XSS (1)IE (1)TorrentLocker (1)Product Information (1)Money Laundering (1)APSA10-05 (1)Skype spam
RSS Feed
The Bitly API key and MSNBC unvalidated redirects
Posted by Pietro Bempos on 21 July 2014 12:30 PM

Websense Security Labs™ has observed a spam/fraud campaign whereby a user is redirected from a real news site to a fake news site. In this case the real site is, which belongs to the well-known cable and satellite channel MSNBC. We have discovered that cyber criminals appear to have gained access to the publicly available MSNBC Bitly API key.  This is being abused to create custom URL shorteners. Websense Security Labs has been tracking fraudulent sites of this kind since 2012, but this was the first time that a redirection technique of this type was observed. 



Executive Summary


The various methods used by this group include:


  • Use of publicly available Bitly API key for redirection
  • Use of a famous news site to redirect to a fake news site
  • Four redirection steps from real news site to fake news site
  • Spreading the link through Google and Yahoo groups and spam mail


Here is the fake news site to which the user is directed, hosted on a legitimate-looking host of hxxp://



So far, Websense Security Labs has identified that the spam is spread through Google and Yahoo groups, and email.


Example post on Google groups:



Example post on Yahoo groups:



The full redirection chain goes as follows:

hxxp:// -->> using Bitly -->> hxxp:// -->> hxxp://


How is the Bitly service abused?


Bitly is a service to shorten URLs into a more user-friendly format. Shortened URLs are very convenient as they are easier to exchange due to their length, and can improve the look of a message. Businesses can set up their own 'short domains' and change their DNS settings to Bitly's servers. Each Bitly customer has their own API key that they can use to generate short URLs from full URLs. If the API key relates to an account that has set up their own short domain, the custom short domain will be used when generating a short URL.


For example, if the API key relates to MSNBC's Bitly account then a short URL using hxxp:// will be used instead of hxxp:// In this case the Bitly API key was publicly available and mis-used by the spammers to redirect from hxxp:// through the redirection chain.


To obtain stats for a Bitly URL the '+' character can be added at the end of it. For example the hxxp:// link becomes hxxp:// . This reveals some interesting information: in this case, the spam was delivered 2054 times based on the click count.


Statistics from Bitly's data:



How are Bitly protecting their users?


Bitly are currently blocking the redirection page at the time of writing.  Kudos to them.



More related abuse vectors on MSNBC


During this investigation Websense observed another flaw with similar impact. The following logout page has an unvalidated redirect flaw that can be used to send a user anywhere on the Internet. 




In this case it's the Google search engine, but it can be a malicious website. Bitly uses the domain when shortening URLs from MSNBC. The example with the unvalidated logout page above would be shortened by bitly as follows: 




This means that the user will see a valid shortened URL from Bitly that belongs to NBC News and redirects to a valid NBC News domain. However the next step is another redirection that could lead anywhere on the Internet. This method may trick users into believing that this is a valid NBC news URL, leading to a double level of confusion for the victim as well as for security filters.


We have contacted the MSNBC team to alert them to these issues.


Websense Protection


Websense customers are protected against this threat with ACE, our Advanced Classification Engine, at the stages detailed below:


  • Stage 2 (Lure) – ACE protects against lure email messages containing the threat, as well as other type of lure examples.
  • Stage 3 (Redirects) – The Websense product is able to follow each redirect in turn to permit classification.




Websense Security Labs identified other websites that keep their Bitly API key in public view. Exposing your Bitly API key is a risk if you have a short domain, as it allows anybody to generate short URLs on your short domain that redirect to anywhere of that person's choosing. This can make it appear as if your business is the one redirecting to malware/phishing/fraud etc. Fortunately, there's not much more that anybody can do with an API key as any account-related or link editing features can only be accessed after an OAuth login.


All requests to the Bitly API should be done on the website's back end, on the server-side. This means that the API key will never be seen by public users on the front end and your API key remains safe.


You can read about Bitly's API best practices here:


URL shorteners are very useful, but come with their own security risks and should be used with caution from a developer and from a user point of view.

Read more »

Fake AV Asks for Subscription Renewals
Posted by Mary Grace Timcang on 29 January 2014 08:30 PM

Cleaning up and re-imaging machines infected with rogue AV continues to take precious man-hours from security teams already saddled with increasing responsibility.  While fake antivirus software (AV) has yielded the security headlines to exploit kits, ransomware, and crime packs, active rogue AV campaigns continue to be an ongoing challenge to organizations attempting to keep their networks free from malware. Today, Websense® Security Labs™ researchers, using our Websense ThreatSeeker® Intelligence Cloud, have intercepted one such campaign using malicious emails coming from a fake AV called Anti-Virus Pro.  The malicious emails use “PC Security - Renewal" as the subject.

These malicious emails offer subscription renewals to unsuspecting customers who are then redirected to the fake AV site: hxxp://  The site prompts users to download a trial version of the malware.


Websense® ThreatScope detects the fake AV as malicious, and shows that it drops and runs binaries in the filesystem directory of the user profile. Interestingly enough, this malware was first seen in Virus Total about a year and a half ago, yet only 40% of AV engines had detection at the time of this post.


Intelligence gathered around this malicious campaign suggests that its focus is the manufacturing industry, as well as other service-oriented businesses.



Geographically, the campaign originates in the US and United Kingdom.  So far, we are seeing Belgium, the US, and the United Kingdom as the top countries affected.


Historically, fake AV has been associated heavily with Black Hat SEO attacks.  Now, fake AV is using emails to spread the campaign.  This could signal a comeback of one of the most popular malicious campaigns of the past. 


Websense customers are protected from these and other threats by Websense ACE (Advanced Classification Engine).

Read more »