包阅导读总结
1. 关键词:Digital Analytics Tools、Weaponize、Threat Actors、Link Shorteners、Malicious Purposes
2. 总结:本文介绍了数字分析工具在网络中的重要性,同时指出其可能被用于恶意目的,重点阐述了威胁行为者如何将链接缩短器等工具武器化,以躲避检测和增强恶意活动效果,并以 bit.ly 为例进行说明。
3.
– 数字分析工具是现代网络空间的重要组成部分,有多种类型,如链接缩短器、位置跟踪器等。
– 链接缩短器自 2000 年左右出现后普及,被用于合法营销,也被威胁行为者利用。
– 如 UNC1189 用于引导用户至钓鱼诱饵文档,某金融动机的威胁行为者用于短信钓鱼,恶意广告活动用于跟踪恶意软件点击数据。
– 以 bit.ly 为例展示威胁行为者视角下的链接缩短器服务能力,其提供多种订阅级别。
– 威胁行为者巧妙利用数字分析和广告工具躲避检测,增强恶意活动效果。
– 本文深入威胁行为者策略,为防御者提供检测和缓解策略。
思维导图:
文章来源:cloud.google.com
作者:Mandiant
发布时间:2024/8/29 0:00
语言:英文
总字数:4223字
预计阅读时间:17分钟
评分:82分
标签:网络安全,威胁情报,数字分析,链接缩短器,IP 地理位置
以下为原文内容
本内容来源于用户推荐转载,旨在分享知识与观点,如有侵权请联系删除 联系邮箱 media@ilingban.com
Introduction
Digital analytics tools are vital components of the vast domain that is modern cyberspace. From system administrators managing traffic load balancers to marketers and advertisers working to deliver relevant content to their brand’s biggest fan base, tools like link shorteners, location trackers, CAPTCHAs, and digital advertising platforms each play their part in making information universally accessible and useful to all.
However, just as these tools can be used for good, they can also be used for malicious purposes. Mandiant and Google Cloud researchers have witnessed threat actors cleverly repurposing digital analytics and advertising tools to evade detection and amplify the effectiveness of their malicious campaigns.
This blog post dives deep into the threat actor playbook, revealing how these tools can be weaponized by attackers to add malicious data analytics (“malnalytics”) capabilities to their threat campaigns. We’ll expose the surprising effectiveness of these tactics and arm defenders with detection and mitigation strategies for their own environments.
Get Shor.ty
First entering the scene around the year 2000 and steadily gaining in popularity ever since, link shorteners have become a fairly ubiquitous utility for life on the Internet. In addition to the popular link shortening services like bit.ly and rb.gy, large technology companies like Amazon (a.co) and Google (goo.gl) also have (or had, in Google’s case) their own link shortening structures and schemas. In the legitimate advertising and marketing sense, link shorteners are typically used as a mechanism to track things like click-through rates on advertisements, or to reduce the likelihood that a complicated URL with parameterized arguments will get mangled when being shared. However, link shorteners and link shortening services have also been used by threat actors (MITRE ATT&CK Technique T1608.005) to obscure the URLs of malicious landing pages, and Mandiant has observed threat actors using link shorteners to redirect victims during the initial access phase of an attack chain. Some recent examples include:
-
A link shortener service used by UNC1189 (also known as “MuddyWater”) in spring of 2022 to funnel users to a phishing lure document hosted on a cloud storage provider.
-
A set of SMS phishing campaigns orchestrated by a financially motivated threat actor between spring of 2021 and late 2022, which leveraged link shorteners to funnel users through a nested web of device, location, and browser checks to a set of forms that ultimately attempt to steal credit card information.
-
A malvertising campaign in spring of 2023 that leveraged a link shortener to track click-through data for Dropbox URLs hosting malware payloads.
Behind the ma.sk
To demonstrate the capabilities of a link shortener service from a threat actor perspective, the service bit.ly will be featured in this blog post. Originally made popular on X (formerly Twitter) around 2008, bit.ly remains a popular link shortening solution. Like most modern software-as-a-service (SaaS) platforms, bit.ly offers multiple subscription levels based around levels of usage and feature availability (Figure 1).
