URL shortening services can be a marketing person’s and social media buff’s best friend. However, they can become a cause of worry for users who are conscious about the security of their systems and personal information.
Not only do these services trim down the character count of a URL while monitoring clicks, online criminals also use such services to mask malicious URLs.
Among the URL shorteners available online, Bitly remains one of the three most popular brands, alongside Goo.gl and Ow.ly.
Although the bit.ly URL has been in service since 2008, we’re only beginning to see several bogus iterations of it being used in the wild.
We’ve seen a number of accounts on YouTube and others sharing various links to game cracks from the imitation Bitly URL, btly[DOT]pw. These links usually follow the format btly[DOT]pw/{name of video game}. Below are some of the titles that malicious actors use to get interested parties to click and share such links with others in their network:
- ARMA 2
- Alien: Isolation
- Bulletstorm
- Chivalry: Medieval Warfare
- Counter Strike 3
- Dead Rising 3
- Don’t Starve Together
- Endless Legend
- F1 2014
- Fable: Anniversary Edition
- Far Cry 4
- Farming Simulator 2015
- FIFA 15
- Five Nights at Freddie’s 2
- Garry’s Mod
- Heroes of Might and Magic 3
- Huniepop
- Kerbal Space Program
- Killing Floor
- Left 4 Dead 2
- Legend of Grimrock
- Life is Feudal
- Metro 2033
- Minecraft
- NBA 2K15
- Payday: The Heist
- Plague Inc. – Evolved
- Rust
- Saints Row: Gat Out of Hell
- Sims 4 Deluxe Edition
- South Park: The Stick of Truth
- Space Engineers
- SpeedRunners
- Starbound
- Stronghold Crusader 2
- Terraria
- The Elders Scrolls V: Skyrim
- The Forest
- The Hunter Primal
- The Talos Principle
- The Walking Dead Season 2
- Train Fever
- Train Simulator 2013
- Trine
- Viking Conquest
- Wasteland 2
- Watch_Dogs
- XCOM: Enemy Unknown
- Xenonauts
We’re still working our way to testing links pertaining to the above games, but for the sake of brevity, we have picked Left 4 Dead 2, a highly popular zombie apocalypse FPS from Valve, to illustrate how this particular .pw campaign works.
The URL is btly[DOT]pw/left4dead2. Users visiting this are led to a free file-sharing site, in this case ZippyShare, where they can download and extract the file. Screenshot below:
click to enlarge
Ads pretending to be the download button for the file may cause confusion for some users. The real one is at the rightmost side of the text.
Below is a screenshot of the RAR-compressed file once extracted with a snapshot of the executable’s property, which shows that it was once a “Steam Installer”:
click to enlarge
Here is what the read me text file says:
click to enlarge
Nothing too difficult - this is an easy crack! In order for this setup to run without any difficulty, please disable your anti-virus for at least 10 minutes while everything is being installed. You can re-enable it after the installation is complete.1. Install the setup (by clicking setup.exe).
* Disable anti-virus for at least 10 minutes during the installation. * Make sure you are connected to the internet. * Wait for the installer to download all the game files from the developer's server. 2. Locate the directory where you installed the game. 3. Copy all the items inside the "Crack" folder & paste to the game directory. 4. Run the game.
* You can now re-enable your anti-virus.
You're done! Enjoy, and have a nice day!
The Crack folder contains two DLL files, Steam_api.dll and User_license.dll, and keyinfo.ini, which contains further instructions. The two DLL files are actually duplicates of each other.
click to enlarge
Copy the dll files and paste and replace each of the dll files in the program directory.
Malwarebytes Anti-Malware (MBAM) detects the main executable, Left 4 Dead 2 Setup.exe, as Trojan.Dropper.NS.
Elsewhere, another imitation Bitly link—this time, btly[DOT]org—is said to be used in a spam campaign that led recipients to a fake BBC site that advertises questionable Garcinia Cambogia dietary supplements.
Please be reminded that the official website for Bitly where users can visit to shorten URLs is https://bitly.com. Shortened URLs always begin with bit.ly. Everything else that resembles the real thing may need to be ignored, reported, and/or blacklisted.
Jovi Umawing
