TLDR; When Nagomi emerged from stealth in April, we noticed that any time we linked to nagomi.security on LinkedIn, it would be flagged as “Possible Malicious Content.” Here’s why and how the issue was resolved. And some interesting findings…..
Disclaimer: The Author Isn’t a Security Practitioner.
I’ve worked at several cybersecurity companies, but I’m not a researcher, engineer, or any flavor of legitimate security practitioner. I was a developer back in the stone age (early 2000s), but I don’t claim any expertise whatsoever. There’s a high probability that I’ll get some stuff wrong, so I figure I should start with that.
Possible Malicious Content: A Not-So-Great Look for a Cybersecurity Company
If you’ve ever launched a company and its website from stealth, you’d know that it’s a lot like a duck swimming. On the surface it looks calm and natural. Underneath it’s web-footed chaos.
But this one was actually pretty straightforward with very few hiccups. In fact, I remarked that this was one of the easiest site launches I’ve ever done. Which is why the next part happened. The universe loves a gloater.
Right after launching the site, I launched our LinkedIn page. And immediately I noticed something weird: as soon as I put in nagomi.security as our site URL and URL for a CTA button, I saw that the URL was overwritten and went to:
And after playing around a bit, I noticed that ANY .security TLD was getting overwritten. But that didn’t make sense…there are plenty of companies that have .security domains….
I then saw that any time we posted from the Nagomi Security LinkedIn page, if we linked to, say:
https://nagomi.security/what-is-credential-stuffing-and-how-can-cybersecurity-teams-use-existing-tools-to-minimize-the-threat/
Clicking that link would result in:
Why Is LinkedIn Marking Our Domain as Possibly Malicious?
I reached out to LinkedIn support about the issue and got the following reply (and quickly):
Going to VirusTotal, we saw:
Two security tools listed in VirusTotal dinged us for having a “newly registered domain name”. Although the domain was registered in January….
…I guess “newly registered” is subjective.
We then reached out (via form fills) to the 2 vendors to get out of domain jail. Meanwhile….
Hey! Look!! I Found A Workaround!!
Filling out forms isn’t exactly the most urgent path to getting a problem solved, so in the meantime we needed to share our content and build a following for our LinkedIn page. I found a couple of workarounds – each with quirks.
Workaround 1: A .com Domain Forwarding to the .security Domain
A few days before registering nagomi.security, we registered nagomisecurity.com
That domain just forwards to nagomi.security, so if we want to promote the blog post that’s at:
https://nagomi.security/what-is-credential-stuffing-and-how-can-cybersecurity-teams-use-existing-tools-to-minimize-the-threat/
we could just use:
https://nagomisecurity.com/what-is-credential-stuffing-and-how-can-cybersecurity-teams-use-existing-tools-to-minimize-the-threat/
It works, but it’s kind of long. LinkedIn uses its own URL shortener, so the long URL above would end up being: https://lnkd.in/eJUbqRtt Problem solved, but that’s odd. LinkedIn is okay with a URL that forwards to a domain flagged in VirusTotal. So wait…..what about…
Workaround 2: A Bitly URL
If LinkedIn is cool with a redirect, then would they allow a URL shortener like bit.ly?
Yep! When you buy a bit.ly subscription, you get a new domain registration
On April 23rd, while still serving our sentence in new URL jail, I registered nagomi.ws and then started creating shortlinks to nagomi.security. It works every time. Here: https://nagomi.ws/youre-so-vain That goes to my LinkedIn profile. This one goes to our super popular credential stuffing blog post https://nagomi.ws/4bjnnga
The Resolution
On April 29th, I got the following message:
24 hours after being cleared by VirusTotal, LinkedIn should drop the warning. Then, on May 20th, I checked VT and we were clear! But we were still being flagged as malicious. I reached out to LinkedIn and let them know that although we were clear in VirusTotal, our links were still getting marked as possible malicious content.
Then, the next day I got a message:
I looped in our Trust and Safety and they let me know website link was caught by one of our security vendors but has been cleared since.
Fixed!
What Did We Learn?
First, LinkedIn uses VirusTotal to check links and if any vendor on VT says you’re a potential problem, you get flagged. So if you’re emerging from stealth and plan to use LinkedIn, check VirusTotal before launch. It might take a while to get cleared.
Second, register your domain months before you plan on launching. You can get dinged for a “new domain” even when your domain is hundreds of days old…..
….unless
Unless you want to use a brand new forwarding domain like bit.ly. Not only does that skip the “newly registered domain” issue, it allows you to forward to any domain you want! Which begs the question: does LinkedIn have a suppression list for domains so that if they’re known to be owned by a URL shortening service they skip the VirusTotal check?
Thirdly, LinkedIn support was very helpful, super responsive, and without their escalation path I don’t think the issue would have resolved itself. It’s not their fault that VT marked us as potentially malicious, and as soon as they saw we were in the clear, they let us out of jail immediately. Kudos to them!
Fourthly and finalthly – This security research stuff is fun! I’m not going to quit my day job, but I see why people love going down the rabbit hole. And if you’ve made it this far, thanks for reading…and please let me know what I got wrong. I’m sure there are errors. Just not the word “finalthly”. That’s correct.
Leave a Reply