Hackers abuse Bitly API in novel attack, reports Websense

A cyber attack targeting TV channel MSNBC highlights cybercriminals’ abuse of the public’s trust in news outlets and websites, says Websense Security Labs.

The security firm said its researchers have observed a "first of its kind" spam-based attack campaign that redirected users from the MSNBC website to a malicious fake news site.

The attack abused the company’s publicly available Bitly application program interface (API) key to create custom URL shorteners for redirecting victims, the researchers said.

So far, Websense Security Labs has identified that the spam messages containing the malicious links are being spread through Google and Yahoo groups, and email.

Bitly is a service to shorten URLs into a more user-friendly format. Shortened URLs are easier to exchange due to their length.

Businesses can set up their own "short domains" and change their DNS settings to Bitly's servers. Each Bitly customer has their own API key that they can use to generate short URLs from full URLs.

If the API key relates to an account that has set up their own short domain, the custom short domain will be used when generating a short URL.

For example, if the API key relates to MSNBC's Bitly account then a short URL using "hxxp://on.msnbc.com/" will be used instead of "hxxp://bit.ly/".

In this attack, the Bitly API key was publicly available and mis-used by the spammers to redirect from "hxxp://on.msnbc.com/" through a four-step redirection chain.

But Bitly is protecting users by blocking the redirection page, according to a Websense blog post.

Carl Leonard, senior manager, security research, at Websense, said this incident shows how cybercriminals are abusing the trust users have in news outlets and websites.

“Most users would never suspect that a URL shortener of a household brand, such as MSNBC, would be abused by cybercriminals.

“A simple change in tactics and the criminals could infect users with powerful malware with impunity, based on the trust generated by MSNBC amongst their readers,” he said.

Websense researchers also found that the hackers were exploiting an unvalidated redirect flaw in the MSNBC logout page to redirect unwitting users to malicious web pages.

Bitly uses the nbcnews.to domain when shortening URLs from MSNBC. An unvalidated MSNBC logout page would be shortened by bitly as follows: "hxxp://nbcnews.to/1rvqfxX".

This means the user will see a valid shortened URL from Bitly that belongs to NBC News and redirects to a valid NBC News domain.

However the next step is another redirection that could lead anywhere on the Internet, said Websense researchers.

This method may trick users into believing this is a valid NBC news URL, leading to a double level of confusion for the victim as well as for security filters, they said.

Although Websense researchers identified other websites that keep their Bitly API key in public view, they said exposing a Bitly API key is a risk if for any short domain.

This allows anybody to generate short URLs on the short domain that redirect to anywhere of that person's choosing, they said.

Although this does not allow access to any account-related or link-editing features, it can make it appear as if the targeted business such as MSNBC is the one redirecting vicitim to malware, phishing and fraud.

The researchers said all requests to the Bitly API should be done on the website's back end, on the server-side. This means that the API key will never be seen by public users on the front end and the API key remains safe.

The researchers warned that URL shorteners come with their own security risks, and should be used with caution. They said developers should follows Bitly’s API best practices.