We noticed a certain Bit.ly link getting some attention over the last few days, and stopped to take a closer look.

The bit.ly link, which has had 1,901 clicks since September 7 (985 of occured over the last 3 days), shows numerous email service referrers in the Bit.ly stats in relation to "Where this is being shared". While we don't have a copy of an email, it seems a safe bet to think it would be one of those "You have an important document waiting" messages so beloved of spammers everywhere.

We managed to find a hit for the Bit.ly link contained in a particular PDF document called "Scan002.pdf".

Piecing it all together, the run of play appears to be:

  1. Potential victim receives a "You have a document waiting" type missive via email (and possibly other channels).
  2. They either open an attached PDF document, or are linked to it directly (the latter would be a somewhat more cumbersome method).
  3. The PDF document, which does not appear to be malicious, displays the following:
Bit.ly link in PDF
This PDF version is not supported. Click here to view online
Clicking the Bit.ly link takes the clicker to


From there, the URL will suddenly appear to make little sense to most people as it switches from something the above, to what may seem like a long line of gibberish.

It's phishing time...

What's actually happening here is something called Data URI phishing, an attempt at disguising a phish attack from potential victims which we see every now and again. After entering an email address and password, hitting the "Your Document" button leads to the following "Document has been removed" splash:

"Document removed"

After this, the victim is forwarded on to the frontpage of a free file hosting service to complete the illusion.

Regardless of how a "file waiting for you online" comes to your initial attention, always be wary and never hand over your login credentials to unfamiliar websites - especially if a random email should come into play. It simply isn't worth the risk.

Christopher Boyd