Automating Ow.ly Abuse Responses
Authors: Faheem Khan, Mahdi Fadaee and Cuneyt Karul
Introduction
Ow.ly is a popular link shortening service that allows Hootsuite service users to shorten links in a post prior to publishing it on social media. As with many other popular tools, this service is frequently abused by malicious actors to anonymize and spread phishing and spam content to unsuspecting recipients. When this happens, Hootsuite receives complaints from recipients of these phishing activities and many abuse monitoring organizations. Cost, time, scalability, and brand reputation are just a few of the challenges that arise when handling abuse cases.
Our original process for removing Ow.ly links reported as malicious was very manual. We created a security incident for each abuse report, and assigned them to our Security Incident Response team. The IR team had a manual review process that involved reviewing and deleting malicious links which was time-consuming. Due to the volume and frequency of these abuse reports, our team would spend countless extra hours closing these tickets.
In this article, we will cover both the reactive and the proactive automation approaches we took to significantly improve our process of handling malicious Ow.ly links and how it lifted the burden off the shoulders of our Customer Support and Security Incident Response teams at Hootsuite.
The Reactive Approach
The problem at hand is a typical case of whack-a-mole.
- The attackers create a free Hootsuite account and create a number of Ow.ly links to direct people to their phishing sites.
- Attackers then distribute these Ow.ly links via email or social media.
- Many people receive these phishing/spam emails and some file a complaint to their ISP, SaaS provider or directly to Hootsuite and ask the link to be taken down.
- Third-party abuse reporters send a message to our team (see image below).
- Lastly, our team investigates, takes the links down, and closes the incident.
A sample abuse report sent to abuse@hootsuite.com by PhishLabs
To accelerate this process, we needed a way to automate the manual process so that we can respond quickly and efficiently. The objective was to delete all reported links from a verified source in less than five minutes with a script that requires minimal maintenance. To reach this goal, we decided to use Google App Script as it allows integration with Google Workspace products used by Hootsuite, particularly Gmail.
App Script, which is essentially Javascript hosted by Google, provides us with great flexibility and ease of use because it can seamlessly fetch and process emails sent to our abuse inbox. Using this platform, we created a function that performs a few steps:
- runs every five minutes and scans our abuse inbox for new reports
- extracts all the Ow.ly links, once an abuse report is identified, corrects them as needed (some reports modify links so phishing links are not propagated further)
- checks the links against URL reputation engines, and removes them from the Ow.ly service through an API call if deemed necessary.
As shown in the figures below, more than 60% of our security incidents were caused by partner-abuse emails before this automation.
Distribution of security incidents before launching reactive abuse automation
Daily chart of partner-abuse incidents over a period of month as compared to other incidents
As shown in the chart above, this automation project eliminated up to 30 daily abuse related incidents with a guarantee that all reported cases are resolved in under five minutes.
We also leveraged Google Data Studio to create a dashboard, which gives us useful metrics about reporters, links and daily statistics in real time.
The Proactive Approach
Although the reactive approach efficiently replaced the manual process, it did not provide enough assurance that all Ow.ly shortened links are safe for our users. This led us to take an extra step to seek a proactive approach as well. Our aim was to check all Ow.ly links within a few minutes after they are created to see if there is a malicious URL behind them.
To accomplish this, we created an AWS Lambda application, dubbed AbuseBot, comprising of three functions:
- A scheduler function, which runs every 15 minutes to gather all unverified Ow.ly links and then pass them to the rating function.
- A rating function, which checks all passed links against well-known reputation engines (such as Google Safe Browsing, Spamhaus, etc.) to see if any engine reported the URL as malicious. If any of the integrated engines consider the link to be malicious, the rating function will mark the link for removal.
- A remediation function, which removes all marked Ow.ly links by calling the appropriate APIs.
The AbuseBot effectively removes dozens of malicious links everyday, and is considered as our first layer of defense against adversaries abusing the Ow.ly service. As with the reactive approach, we collect metrics to monitor the performance of the service and improve it over time. A few improvements we have planned, include,
- creating a database of Hootsuite account owners who create abuse links and automate how we deal with them
- creating a consolidated dashboard using our logging infrastructure
- increasing the reputation services we utilize to improve our accuracy.
Conclusion
The Ow.ly link shortening service enables Hootsuite users to shorten links before posting them to their social media. A problem we were facing was that threat actors were using Ow.ly service to spread malicious content (phishing & spam).
Our existing process of manually verifying and deleting links was a monotonous and slow task. In a matter of two weeks we were able to automate the task end-to-end using Google App Script and AWS Lambda functions. Besides improving the accuracy and the speed of taking down malicious links, our automation allows us to create detailed metrics which helps us to monitor our processes more effectively.
Overall, automation of the process has made the Ow.ly link shortener a more secure and trusted service.
