URL shortening services are ubiquitous nowadays, and I agree that there are many benefits to having a short link rather than a long and sometimes meaningless URL. However the fact that links to potentially dangerous sites can now easily be obfusticated makes URL shortening a very dangerous thing when put into the hands of the wrong people.
Specifically, the widespread use of URL shortening services means that users can no longer quickly eyeball links to make sure they don’t lead to malware or virus sites. In my opinion this is a major problem that gives writers of online exploits a huge advantage.
Sites that make heavy use of URL shortening services such as Twitter have tried to institute changes to how shortened links are displayed, but this is easily circumvented by spammers or even accidentally.
The problem with URL shortening is that it obscures the target address, and so can be used to redirect to an unexpected site which can contain viruses or other exploits. New URL shortening services spring up all the time, including services specifically designed by malware creators. When one of these fly-by-night shortening services is used, then the full destination URL will not be shown in on mouseover of a link. At that point the URL has been successfully hidden. This is a plus for malware creators since they rely on volume and people making careless clicks, so when their malicious links have been obscured they will expect to get more hits by unsuspecting users.
My question is: do the pros outweigh the cons?
Kaspersky security reports indicate that the number of browser-based malware attacks have increased exponentially since 2007. To quote numbers from a 2010 Kaspersky article: in 2007, a total of 23,680,646 attacks were recorded against KSN users, however in 2010 it skyrocketed to 580,371,937! From events of 2011 it looks like this year the total attack numbers will make the 2010 numbers look very small by comparison.
In this article I will alternate usage of shortened URLs that link to Web-based exploits with cloaked URL and poisoned link.
Continue reading “URL Shortening is a Growing Security Risk” →