URL shortening services are ubiquitous nowadays, and I agree that there are many benefits to having a short link rather than a long and sometimes meaningless URL. However the fact that links to potentially dangerous sites can now easily be obfusticated makes URL shortening a very dangerous thing when put into the hands of the wrong people.
Specifically, the widespread use of URL shortening services means that users can no longer quickly eyeball links to make sure they don’t lead to malware or virus sites. In my opinion this is a major problem that gives writers of online exploits a huge advantage.
Sites that make heavy use of URL shortening services such as Twitter have tried to institute changes to how shortened links are displayed, but this is easily circumvented by spammers or even accidentally.
The problem with URL shortening is that it obscures the target address, and so can be used to redirect to an unexpected site which can contain viruses or other exploits. New URL shortening services spring up all the time, including services specifically designed by malware creators. When one of these fly-by-night shortening services is used, then the full destination URL will not be shown in on mouseover of a link. At that point the URL has been successfully hidden. This is a plus for malware creators since they rely on volume and people making careless clicks, so when their malicious links have been obscured they will expect to get more hits by unsuspecting users.
My question is: do the pros outweigh the cons?
Kaspersky security reports indicate that the number of browser-based malware attacks have increased exponentially since 2007. To quote numbers from a 2010 Kaspersky article: in 2007, a total of 23,680,646 attacks were recorded against KSN users, however in 2010 it skyrocketed to 580,371,937! From events of 2011 it looks like this year the total attack numbers will make the 2010 numbers look very small by comparison.
In this article I will alternate usage of shortened URLs that link to Web-based exploits with cloaked URL and poisoned link.
Potential Intrusion Vectors
In general I am very reluctant to click on shortened links for obvious reasons. There are services that re-expand shortened links such as browser add-ons or Web services, but most of these are awkward, limited to a specific browser, and take effort to use.
Currently here are the most prominent dangers presented by shortened URLs:
- Seemingly legitimate links can actually end up being cloaked links that point to Phishing sites to obtain user data through mocked-up forms and functionality
- Again, legitimate-looking links can be cloaked to point to sites that exploit browser vulnerabilities in order to implant a host of nasty software such as viruses, keyloggers and other malware
- Spammers can use cloaked URLs to bypass spam filters
Exposure Mitigation
I mostly use a service offered by LongUrl.org, which provides a simple but powerful Web-based interface for re-expanding shortened URLs regardless of how many levels deep they have been shortened. The problem is that this takes some effort that may seem like a waste of time for most users, and is not a viable option for users of mobile devices.
The major URL shortening services like TinyUrl.com and Bit.ly now try to help users by offering preview features in various ways but these are inconsistent, do not address nested shortened links, and are not convenient for the the average user.
AVG offers a free solution for PCs called AVG Linkscanner with their software to help hunt down poisoned links using an extension to their AntiVirus software. AVG promises that this add-on for IE, Chrome and FireFox works quietly in the background and does not use a large amount of system resources, which is great in my mind. The Linkscanner tool promises to scan any Web page a user intends to go to before the user gets there, and to stop rendering of the destination page if it is deemed to be unsafe. In my opinion a tool like AVG Linkscanner should be on any Web-enabled devices as final line of defence against malicious links.
As well, a variety of browser add-ons have been developed that attempt to trace the full URL such as Unshorten.it for FireFox and ViewThru for Chrome. The problem is that these tools can’t easily keep up with the sheer number of new URL shortening services that exist and that are constantly being created, including shortening services by malware creators.
So What Does All of this Mean?
There are a myriad of services and software solutions available to decode shortened URLs. The problem is that most users are not computer literate or motivated enough to realize the danger, and so most of the time the purveyors of malware and poisoned links have and will continue to have a huge pool of targets.
Some further bad news is that now spammers and malware creators are making their own URL shortening services which allow them to create what look like legitimately shortened links from reputable services, but which in fact are malicious and can link to exploits that can cause all sorts of havoc with a user’s system.
A growing problem that will increase in visibility in the coming years is related to the rise of smart-phones and Web-enabled devices. Checking for poisoned links is much more difficult on a mobile device than it is on a PC. In fact most users think that mobile devices are immune for various incorrect reasons. As of 2011 there has been a significant rise in the number of reported exploits targeting mobile devices, which is a trend that will only get worse as mobile devices continue to be rapidly adopted. This is a significant problem since the major banks and mobile OS manufacturers are beginning to heavily promote mobile device -based transactions and banking.
As an example, see the following link for an example article by Kaspersky outlining new exploits targeting Android based devices. Exploits targeting mobile OSs such as Android and iOS are rapidly growing in number and will continue to grow in danger as these devices become more integral to people’s lives and finances.
Further Reading
- Yahoo! News – Defend your data: 5 online security don’ts
- TechRepublic – URL shortening: Yet another security risk
- Post-Gazette.com – URL shortening services can raise issues that are big trouble
- WindowSecurity.com – Determining If You are Actively Being Compromised
- Kaspersky Security Bulletin 2010. Statistics, 2010
- Kaspersky Lab July 2011 malware report released – Cybercriminals release new ‘spy’ for Android
- Infosecurity-Magazine.com – URL shortening services under major attack says Symantec
- ComputerWorld.com – Spammers create their own URL shortening services
- InfosecIsland.com – Federal Cyber Security and Short URL Vulnerabilities
Justin Cooney 
Ohh Great ! This something new and i have bookmarked longurl now only .
Just one question Justine dont we have this check in Clicking Site only .
For Eg: Twitter most used short URL so can we build some short service to validate URL itself i know sounds crazy but is there something which is alredy availabel !!
Hi Vishal, I’m glad you found the article interesting and bookmarked longurl.com! I like the scope of services that longurl.com supports, basically providing an API for multiple URL shortening services.
Yes you are right, there are services that validate URLs and/or try to follow the shortened URLs to display the original URL like the AVG LinkScanner plugin, or Unshorten.it for FireFox and ViewThru for Chrome. The problem is that these tools can’t easily keep up with the sheer number of new URL shortening services that exist and that are constantly being created, including shortening services by malware creators.
An inetllgient point of view, well expressed! Thanks!
I’m glad you found the article interesting, thanks for your feedback!
Could not the browsers simply follow the redirects and show you the final destination for any URL? You won’t be able to hover on a link and get an immediate URL (given lookup delays), but that seems acceptable.
I don’t see that shortening is a unique problem here given that any URL can be redirected and lead to a malicious site. Redirection is done by the browser as well, so ultimately the browser sees the final URL and can invoke any of its malicious site checks at that point, or anywhere along the way.
Hi, thanks for your feedback!
The problem with URL shortening is that it obscures the target address, and as a result, can be used to redirect to an unexpected site which can contain viruses or other exploits. New URL shortening services spring up all the time, including services specifically designed by malware creators. When one of these fly-by-night shortening services is used, then the full destination URL will not be shown in on mouseover so at that point the URL has been successfully hidden. This is a plus for malware creators since they rely on volume and people making careless clicks, so when their links have been obscured they will expect to get more hits by unsuspecting users.
Definitely, as you say, the browser has the final responsibility of loading the site. There are several points where the browser can be hijacked, starting with the URL passed to the browser.
So I’m not saying that URL shortening is the complete problem, but that it is an often used way for pointing people to sites containing exploits, etc.
Malware creators will get hits even when the full URL is displayed when one mouses over a link based on sheer numbers. Obfusticating the link just increases the chance that someone will innocently click on a link that looks interesting but that contains an exploit. I know a lot of problems happen this way with popular discussion forums where someone will post a link to seemingly related content, but that actually points to an exploit site.
Also as you mentioned, the browser can invoke site checks when the URL is passed along. The AVG LinkScanner plugin is a great addon that does just that. Also some good addons exist like Unshorten.it for FireFox and ViewThru for Chrome. However exploit writers are quite familiar with these and are constantly working to bypass such checks in order to infect a system.
Interesting article. Indeed it turns out to be an issue.
Glad you found the article interesting! Yes, I definitely think it’s a growing problem. There’s been a huge rise in hacking attacks in the past year, and URL obfustication is just another way to compromise a system. The attacks against smart devices are on the rise these days as more people start integrating their phones with banking, so it’s not just people with PCs at risk.
Hi! I just wanted to ask if you ever have any trouble with hackers?
My last blog (wordpress) was hacked and I ended up
losing a few months of hard work due to no back up. Do
you have any solutions to protect against hackers?