What is the link spam

Heimdall reports: Beware of phishing attacks with bit.ly links

In the last few days, the security experts from NoSpamProxy have been able to clearly increased number of phishing attacks who use the well-known URL shortener service bit.ly. The attackers use the familiar pattern of the "Hello spam".

The e-mail in question only contains a very large one short message and exactly one phishing link. Here are some recent examples:

Increased volume of bit.ly links

You can typically see these emails in the body Emoji followed by a very short text and then one bit.ly link. In the data collected by Heimdall, a significantly increased number of bit.ly links can be seen:

The graph shows the number of bit.ly link sightings (per hour) in Heimdall. The assumption here is that a large part of the additional volume is due to phishing (for 9/15/2020 that would be almost 20,000 URLs). These attacks hide high risk potential.

Heimdall sends warnings about affected URLs

In the last few months we have had good success with Heimdall in terms of “hello spam”. In the previous phishing attacks, however, lesser known URL shortening services or machine-generated blogspot pages were used, which can easily be recognized as malicious. In the case of the bit.ly URLs used here, this is not so simply the case, since these can also be found in legitimate e-mail communication. Due to the special threat situation the Heimdall service is currently sending a warning for these URLs. All customers who already participate in the Heimdall beta version will be awarded 2 SCL. Unfortunately, due to the few other suspicious characteristics of these emails, this does not always result in a rejection.

How can you ward off spam emails with bit.ly links?

For a stricter handling of this spam e-mail, we recommend the following temporary local modification:

Under NoSpamProxy management console > configuration > Preferences > Word matches > “Add”A phrase can be created as shown in the example. The corresponding pattern can then be defined here.

After that, in the inbound rules (NoSpamProxy management console > configuration > regulate) under "filter" the filter "Word matches"Should be added (if this is not yet used) and the newly created phrase"Blocked links" to be selected.

With this procedure, all e-mails with bit.ly URLs are rejected. Our current data currently shows that the attacks are mainly being sent from “outlook.com” or “hotmail.com” addresses. Alternatively, this knowledge allows a more selective approach in order to lower the false positive rate if necessary.

First a new rule is created, e.g. by duplicating the existing "All other inbound mails" Rule. The phrase "Blocked links" be used. The new rule can be found under "Message flow"Limited to the relevant MAIL FROM domains:

Use Heimdall now

The Heimdall action in NoSpamProxy ensures that metadata on emails and attachments are collected and analyzed. The goal: to build an even more powerful anti-malware intelligence thatDetect and fend off attacks by spam and malware even faster and more effectively can. If you are interested in using the beta version of Projekt Heimdall, send an email with the subject "Heimdall activation" to NoSpamProxy Support and attach a screenshot of your license details.

The Security Insider picked up our blog article and published a post on it.