Heimdall reports: Caution with Phishing attacks with bit.ly left offered

In recent days, the security experts at NoSpamProxy have recorded a significant increase in the number of phishing attacks using the well-known URL shredder service bit.ly. Here the attackers use the well-known pattern of “hello spam”.

The Email in question contains only a very short message and exactly one phishing link. Here are some current examples:

Increased emergence of bit.ly links

Typically you will see an emoji followed by a very short text and then a bit.ly link. In by Heimdall collected data a clearly increased emergence of bit.ly left can be recognized:

Graph bit.ly Links

The graph shows the number of sightings of bit.ly links (per hour) in Heimdall. The assumption here is that a large part of the additional volume is due to phishing (for 15.9.2020 this would be just under 20,000 URLs). These attacks hold a high potential of danger.

Heimdall sends warning for affected URLs

In recent months we have been able to achieve good success with Heimdall in terms of “Hello-Spams”. However, previous phishing attacks have used unknown URL-shortening services or machine-generated blogspot pages that are easily recognized as malicious. In the case of the bit.ly-URLs used here, this is not so easy, since they are also found in legitimate Email communication. Due to the particular threat situation, the Heimdall service is currently sending an alert for these URLs. All customers who already participate in the Heimdall beta version will be awarded 2 SCLs. Due to the few other suspicious characteristics of these e-mails, this unfortunately does not always lead to a rejection.

How can you fend off spam mails with bit.ly links?

For a stricter handling of this spam e-mail we recommend the following temporary local modification:

Under NoSpamProxy Management Console > Configuration > preferences > word matches > “Add” a word group can be created as shown in the example. The corresponding pattern can then be defined here.

blank

blank

Danach kann in den Inbound-Regeln (NoSpamProxy Management Konsole > Konfiguration > Regeln) unter „Filter“ der Filter „Wortübereinstimmungen“ ergänzt werden (falls dieser noch nicht verwendet wird) und die neu erstellte Wortgruppe „Gesperrte Links“ ausgewählt werden.

blank

With this procedure all Emails with bit.ly-URLs are rejected. In our current data it is to be recognized at present that the attacks are dispatched mainly from “outlook.com” or “hotmail.com” addresses. This finding allows for a more selective approach to reduce the false positive rate.

First a new custom rule is created, e.g. by duplicating the existing “All other inbound mails” rule. The word group “Blocked Links” created above can then only be used in this new rule. The new rule can be restricted to the relevant MAIL FROM domains under “Message Flow“:

blank

Use Heimdall now

The Heimdall action in NoSpamProxy collects and analyzes metadata about emails and attachments. The goal: to build an even more powerful anti-malware intelligence that can detect and fend off attacks by spam and malware even faster and more purposefully. If you are interested in using the beta version of Project Heimdall, send an e-mail with the subject “Heimdall activation” to NoSpamProxy support and attach a screenshot of your license details.

The Security Insider picked up our blog article and published a post about it.