Authors: Faheem Khan, Mahdi Fadaee and Cuneyt Karul Introduction Ow.ly is a popular link shortening service that allows Hootsuite service users to shorten links in a post prior to publishing it on social media. As with many other popular tools, this service is frequently abused by malicious actors to anonymize and spread phishing and spam content […]
Authors: Faheem Khan, Mahdi Fadaee and Cuneyt Karul
Ow.ly is a popular link shortening service that allows Hootsuite service users to shorten links in a post prior to publishing it on social media. As with many other popular tools, this service is frequently abused by malicious actors to anonymize and spread phishing and spam content to unsuspecting recipients. When this happens, Hootsuite receives complaints from recipients of these phishing activities and many abuse monitoring organizations. Cost, time, scalability, and brand reputation are just a few of the challenges that arise when handling abuse cases.
Our original process for removing Ow.ly links reported as malicious was very manual. We created a security incident for each abuse report, and assigned them to our Security Incident Response team. The IR team had a manual review process that involved reviewing and deleting malicious links which was time-consuming. Due to the volume and frequency of these abuse reports, our team would spend countless extra hours closing these tickets.
In this article, we will cover both the reactive and the proactive automation approaches we took to significantly improve our process of handling malicious Ow.ly links and how it lifted the burden off the shoulders of our Customer Support and Security Incident Response teams at Hootsuite.
The problem at hand is a typical case of whack-a-mole.
A sample abuse report sent to [email protected] by PhishLabs
To accelerate this process, we needed a way to automate the manual process so that we can respond quickly and efficiently. The objective was to delete all reported links from a verified source in less than five minutes with a script that requires minimal maintenance. To reach this goal, we decided to use Google App Script as it allows integration with Google Workspace products used by Hootsuite, particularly Gmail.
As shown in the figures below, more than 60% of our security incidents were caused by partner-abuse emails before this automation.
Distribution of security incidents before launching reactive abuse automation
Daily chart of partner-abuse incidents over a period of month as compared to other incidents
As shown in the chart above, this automation project eliminated up to 30 daily abuse related incidents with a guarantee that all reported cases are resolved in under five minutes.
We also leveraged Google Data Studio to create a dashboard, which gives us useful metrics about reporters, links and daily statistics in real time.
Although the reactive approach efficiently replaced the manual process, it did not provide enough assurance that all Ow.ly shortened links are safe for our users. This led us to take an extra step to seek a proactive approach as well. Our aim was to check all Ow.ly links within a few minutes after they are created to see if there is a malicious URL behind them.
To accomplish this, we created an AWS Lambda application, dubbed AbuseBot, comprising of three functions:
The AbuseBot effectively removes dozens of malicious links everyday, and is considered as our first layer of defense against adversaries abusing the Ow.ly service. As with the reactive approach, we collect metrics to monitor the performance of the service and improve it over time. A few improvements we have planned, include,
The Ow.ly link shortening service enables Hootsuite users to shorten links before posting them to their social media. A problem we were facing was that threat actors were using Ow.ly service to spread malicious content (phishing & spam).
Our existing process of manually verifying and deleting links was a monotonous and slow task. In a matter of two weeks we were able to automate the task end-to-end using Google App Script and AWS Lambda functions. Besides improving the accuracy and the speed of taking down malicious links, our automation allows us to create detailed metrics which helps us to monitor our processes more effectively.
Overall, automation of the process has made the Ow.ly link shortener a more secure and trusted service.