Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: A URL shortener handy for phishers SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
A URL shortener handy for phishers

Reader Fred submitted a suspicious PDF received via email.

It’s a classic phishing PDF (for the Apple Store), like I have analyzed here in previous diary entries. It can be quickly analyzed with pdfid and pdf-parser, like this:

Notice the long URL, with another URL as parameter at the end: this first URL is a redirector.

The second URL, bitleyco, is an URL shortener:

It has some interesting features for an attacker, like Geotargeting and Device targeting:

And also statistics: just append a plus (+) to the URL and you get statistics. Unfortunately for me, I got a 404 for the phishing URL.

This URL shortening service is not very popular:

So you can add this domain (bitleyco dot cc) to your blocklist, your business will not be impacted.

If you know more about this URL shortener, or if it looks similar to other URL shorteners, please post a comment.

Update: I found what software it is: Premium URL Shortener.

Didier Stevens
Senior handler
Microsoft MVP


481 Posts
ISC Handler
Aug 12th 2018
I think site has been removed. All I can find about is this report from urlquery

Sign Up for Free or Log In to start participating in the conversation!