How NOT to Cover Your Tracks

December 3, 2013 - By Chris Larsen

While spending some post-Thanksgiving time hunting down exploit kit sites last weekend, I found something interesting. (Yes, that's how security researchers relax on holiday weekends -- and, judging by traffic on some of the researcher mailing lists and forums, I'm not alone...)

Smack in the middle of some malvertising traffic leading to exploit kits was an interesting site: href.li

screenshot of href.li

I couldn't help wondering, "What sorts of people would want to hide their referrer? And how successful will they be at covering their tracks if they do?" (More on these questions in a moment...)

 

The full attack chain looked something like this:

  • Malicious ad served via directrev.com or popads.net...
  • Which leads to a shady-traffic site (hello, boxsearch.net! we're talking to you!)...
  • Which relays to href.li in attempt to cover tracks...
  • Which relays to family of evil relay sites (e.g., securestatsweb.pw)...
  • Which relays to family of exploit kit sites (e.g., socialtrain.biz), running Nuclear exkit, I believe.

 

There is a mix of traffic using href.li, of course, but the largest user, by far, was this gang of cybercriminals. Which makes them rather...noticeable.

The mental image that comes to mind is of a group of shady characters wearing matching T-shirts bearing a logo like "Don't arrest me! I'm a law-abiding citizen!" (in a variety of bright neon gang-affiliated colors, of course). It won't take the cops long to notice that the majority of folks wearing these shirts around town are people already known (or suspected) to be gang members. Which makes them easy to pick out of a crowd...

Since WebPulse knew about the "gang members" at multiple levels of this attack, about all the href.li traffic accomplished was to draw more attention to themselves -- and to make it pretty easy to round up several additional groups of shady characters who were also using the service.

:)

 

--C.L.

@bc_malware_guy