URL shortening services are ubiquitous nowadays, and I agree that there are many benefits to having a short link rather than a long and sometimes meaningless URL. However the fact that links to potentially dangerous sites can now easily be obfusticated makes URL shortening a very dangerous thing when put into the hands of the wrong people.
Specifically, the widespread use of URL shortening services means that users can no longer quickly eyeball links to make sure they don’t lead to malware or virus sites. In my opinion this is a major problem that gives writers of online exploits a huge advantage.
Sites that make heavy use of URL shortening services such as Twitter have tried to institute changes to how shortened links are displayed, but this is easily circumvented by spammers or even accidentally.
The problem with URL shortening is that it obscures the target address, and so can be used to redirect to an unexpected site which can contain viruses or other exploits. New URL shortening services spring up all the time, including services specifically designed by malware creators. When one of these fly-by-night shortening services is used, then the full destination URL will not be shown in on mouseover of a link. At that point the URL has been successfully hidden. This is a plus for malware creators since they rely on volume and people making careless clicks, so when their malicious links have been obscured they will expect to get more hits by unsuspecting users.
My question is: do the pros outweigh the cons?
Kaspersky security reports indicate that the number of browser-based malware attacks have increased exponentially since 2007. To quote numbers from a 2010 Kaspersky article: in 2007, a total of 23,680,646 attacks were recorded against KSN users, however in 2010 it skyrocketed to 580,371,937! From events of 2011 it looks like this year the total attack numbers will make the 2010 numbers look very small by comparison.
In this article I will alternate usage of shortened URLs that link to Web-based exploits with cloaked URL and poisoned link.
Potential Intrusion Vectors
In general I am very reluctant to click on shortened links for obvious reasons. There are services that re-expand shortened links such as browser add-ons or Web services, but most of these are awkward, limited to a specific browser, and take effort to use.
Currently here are the most prominent dangers presented by shortened URLs:
- Seemingly legitimate links can actually end up being cloaked links that point to Phishing sites to obtain user data through mocked-up forms and functionality
- Again, legitimate-looking links can be cloaked to point to sites that exploit browser vulnerabilities in order to implant a host of nasty software such as viruses, keyloggers and other malware
- Spammers can use cloaked URLs to bypass spam filters
I mostly use a service offered by LongUrl.org, which provides a simple but powerful Web-based interface for re-expanding shortened URLs regardless of how many levels deep they have been shortened. The problem is that this takes some effort that may seem like a waste of time for most users, and is not a viable option for users of mobile devices.
The major URL shortening services like TinyUrl.com and Bit.ly now try to help users by offering preview features in various ways but these are inconsistent, do not address nested shortened links, and are not convenient for the the average user.
AVG offers a free solution for PCs called AVG Linkscanner with their software to help hunt down poisoned links using an extension to their AntiVirus software. AVG promises that this add-on for IE, Chrome and FireFox works quietly in the background and does not use a large amount of system resources, which is great in my mind. The Linkscanner tool promises to scan any Web page a user intends to go to before the user gets there, and to stop rendering of the destination page if it is deemed to be unsafe. In my opinion a tool like AVG Linkscanner should be on any Web-enabled devices as final line of defence against malicious links.
As well, a variety of browser add-ons have been developed that attempt to trace the full URL such as Unshorten.it for FireFox and ViewThru for Chrome. The problem is that these tools can’t easily keep up with the sheer number of new URL shortening services that exist and that are constantly being created, including shortening services by malware creators.
So What Does All of this Mean?
There are a myriad of services and software solutions available to decode shortened URLs. The problem is that most users are not computer literate or motivated enough to realize the danger, and so most of the time the purveyors of malware and poisoned links have and will continue to have a huge pool of targets.
Some further bad news is that now spammers and malware creators are making their own URL shortening services which allow them to create what look like legitimately shortened links from reputable services, but which in fact are malicious and can link to exploits that can cause all sorts of havoc with a user’s system.
A growing problem that will increase in visibility in the coming years is related to the rise of smart-phones and Web-enabled devices. Checking for poisoned links is much more difficult on a mobile device than it is on a PC. In fact most users think that mobile devices are immune for various incorrect reasons. As of 2011 there has been a significant rise in the number of reported exploits targeting mobile devices, which is a trend that will only get worse as mobile devices continue to be rapidly adopted. This is a significant problem since the major banks and mobile OS manufacturers are beginning to heavily promote mobile device -based transactions and banking.
As an example, see the following link for an example article by Kaspersky outlining new exploits targeting Android based devices. Exploits targeting mobile OSs such as Android and iOS are rapidly growing in number and will continue to grow in danger as these devices become more integral to people’s lives and finances.
- Yahoo! News – Defend your data: 5 online security don’ts
- TechRepublic – URL shortening: Yet another security risk
- Post-Gazette.com – URL shortening services can raise issues that are big trouble
- WindowSecurity.com – Determining If You are Actively Being Compromised
- Kaspersky Security Bulletin 2010. Statistics, 2010
- Kaspersky Lab July 2011 malware report released – Cybercriminals release new ‘spy’ for Android
- Infosecurity-Magazine.com – URL shortening services under major attack says Symantec
- ComputerWorld.com – Spammers create their own URL shortening services
- InfosecIsland.com – Federal Cyber Security and Short URL Vulnerabilities