If you leave it, they will come

We've posted a number of times here about URL shorteners (2010-03-31, 2014-08-06, 2014-02-13) and how they are abused by spammers. Today, we came across a URL shortener site using the seemingly popular YOURLs package hosted on a short domain belonging to a large global entity that we can only guess was setup sometime ago by someone working there and then left in place and forgotten about. Perhaps it was setup as a test by someone who subsequently left the organisation and it never became part of their official infrastructure. What was interesting about this particular site is that the admin directory was left without any restrictions, allowing the whole world to see all the URLs that had been shortened by it.

The first URL, still in the log, was shortened back in April 2015 and then nothing until the spammers (re)discovered it on 5th November and proceeded to create many short URLs hiding the links to their real spammy content. Why would the spammers do this? Well analysing the real content shows that Cloudmark has been blocking that for almost 2 weeks. By hiding behind the shortened URLs, they are able to get a little more use out of seemingly spammy content once more. This admin page also helpfully shows the number of times each URL was clicked although for the ones that link to images this will be more akin to an 'open' and hence why those show much larger numbers. The wider issue that this open admin page highlights is that if you install something and leave it lying around without updates you will eventually see it abused. As well as hundreds of these URL shortener sites and countless image hosting sites, we constantly see spam making use of compromised Joomla and Wordpress sites. In the case of the former we've seen tens of thousands of Joomla 1.5 sites hacked years after a patch was made available for the vulnerabilities they contain.