Cybersecurity

How threat actors are repurposing digital analytic tools to amplify their attacks

Gone are the days of tools such as link shorteners, IP geolocation utilities, and competitive intelligence being limited to marketers looking to optimize their marketing efforts.
article cover

Francis Scialabba

4 min read

Link shorteners, IP geolocation utilities, and CAPTCHAs are among a few of the latest tools within the threat actor “playbook” for amplifying malicious campaigns.

Digital analytic and advertising tools are no longer limited to professionals in their respective industries. In a recent blog post, researchers from Mandiant and Google Cloud claimed that bad actors are weaponizing these innovative tools to add malicious data analytics—dubbed “malnalytics”—capabilities to their campaigns to expand their reach and evade detection by security tools.

Gone phishing. The researchers wrote that threat actors are using link-shortening services for purposes beyond beautifying a long link. Instead, attackers are using link shorteners to conceal the URL of malicious landing pages and redirect victims during the initial access phase of an attack chain. In one example provided, cyber espionage group MuddyWater used link shorteners to guide users to a phishing lure document hosted on a cloud storage provider in 2022.

DomainTools Product Marketing Manager Malachi Walker told IT Brew that he saw the tactic used throughout an Arc web browser launch campaign.

“I found a couple of them that are either spelled ‘ark windows’ or ‘aru windows,’ where it’s very close and if they have the right picture…[and] the right URL masked over it, you might not even notice it,” Walker said.

The researchers also noted that threat actors are using CAPTCHA services to bypass detonation processes that determine whether or not a URL is malicious. Attackers may send out phishing emails containing a link to a CAPTCHA screening domain that directs users to malicious content.

“The prevalence of bot classification tools on the Internet generates a sense of familiarity with users. And familiarity builds confidence,” Ryan Tomcik, a Mandiant and Google Cloud principal security analyst and co-author of the August blog post, told IT Brew in an email via Melanie Lombardi. “Users may associate bot classification tool logos or landing pages as legitimate, regardless of the circumstances.”

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

Upgraded gameplans. The researchers also stated that attackers are leveraging IP geopolitical utilities and competitive intelligence tools to aid in creating more strategic attacks. With access to services such as ip2location.io, an IP geolocation API lookup service, attackers can redirect a subset of users with specific connection types and locations to malicious web pages, while generating error codes for those using a VPN or The Onion Router (TOR).

They added that search engine marketing and competitive intelligence tools can aid bad actors in executing a malvertising campaign by granting them access to valuable information such as the success of victim flows from previous malvertising campaigns and characteristics of campaigns that have made it past moderation filters.

“It’s kind of like Pandora’s boxes have been opened and there’s a lot of access to tools that can make some really straight-level, low-line strategies a lot more sophisticated looking,” Walker said.

Gear up. Threat actors may have more tools at their disposal to craft targeted attacks, but all is not lost for defenders. The Mandiant and Google Cloud researchers suggested cybersecurity professionals adopt the following safeguards:

  • For weaponized link shorteners: consider implementing a form of automated analysis that can detect things such as if the shortened URL has appeared multiple times in a short span of time and if it goes to an archive file on a cloud-hosting service.
  • For weaponized IP geolocation utilities: use endpoint telemetry to correlate observed URL-based telemetry data with anomalous events.
  • For well-thought out malvertising campaigns: Amp up your current browser security settings.

Walker added that one of the most important tasks for cybersecurity professionals looking to thwart these sorts of tricks is to remain aware of the latest threats.

“[I]t’s MuddyWater today, it’s something else tomorrow,” he said.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

I
B