I see the same thing if I take off the first part
ln.is/oUSJYln.is/ looks like a redirect service that embeds the link to share in an iFrame. This is very bad and not secure.
isecguy you might want to have a look at this, the main In.is domain could run a script to keylog your username and password.
Hey
vmail , sorry I'm late to the party on this, but thanks for flagging this up to me!
I've had a bit of a look, and yes, this is essentially what's known as "cloaking". Instead of redirecting directly a user's browser to an destination URL, the ln.is service instead embeds the destination URL in a full width/height iframe, with no obvious indication that this has happened.
Now, in terms of whether or not this could be used to inject a keylogger to capture your username/password in the ReBS site - this is unlikely, due to the security restrictions imposed by browsers on frames/iframes (i.e. a page can only interact with the
contents of an embedded frame if both the page & the frame reside on the same domain).
However, the ln.is service runs on insecure http, so that itself is potentially vulnerable to a MitM (Man-In-The-Middle) style attack, which means that an attacker could compromise the ln.is service and change the target URL that loads in the resulting iframe.
So, in summary, whilst the ln.is itself couldn't inject a keylogged into the ReBS site, the ln.is site could be compromised to redirect to a malicious site masquerading as the legitimate ReBS site, and that site could then harvest credentials, etc.
I would however make the observation that the ln.is site does currently collect quite a bit of tracking data - i.e. the referring domain & URL you used to reach their site, which is stored in a cookie along with a unique ID would could be used to identify your subsequent visits.
Interesting, the ln.is homepage currently contains a banner across the top of its site stating "
Linkis got suspended and requires your help
. Dear friends. Since 12 of May 2017 Linkis is being suspended due to some misunderstanding. Now we need your help to get it back online. We believe that with your help we can restore its usual flow."
It looks like Twitter have blocked their service! Their blog plays down this (see
blog.linkis.com/2017/06/02/we-need-you-to-help-to-get-linkis-back-to-work/), although it's possible that Twitter have blocked their links because they were "cloaking" links/collecting data/operating maliciously.
My advice to platforms;
1) Don't use URL shortening service to link to your site
2) Add code to your site to ensure that it can't be "framed" by other web sites (this is a simple 1-line of Javascript that will automatically break your site out from any frames)
My advice to everyone else:
1) Be very weary of URL shortening services - avoid clicking such links if you can help it (or go to the home page of the URL shortening service - some provide tools allowing you to see where a short URL points to, without you actually having to visit the link)
2) If a platform is advertising something on social media with a shortened URL, where possible, manually go to their website and locate the page they're referring instead of clicking the link
Hope that helps!