Threats Posed by URL Shorteners

4 10 2011

About to click on a shortened URL link your friend posted on twitter – THINK AGAIN!!! Since you can’t see the real URL you might be led to a fake website only to realize that it is spam and it might be too late. The possibility of being infected by spam ware is heightened in the case of accessing shortened URL links. I would first like to explain why the feature of URL shortening came into existence. It can be frustrating when you can’t post a lengthy URL on twitter which is a short messaging site and limits the number of characters to 140. Lengthy URL’s in general are difficult to share and may break in emails[4]. This caused various vendors to offer free URL shortener programs.

The catch here is that URL shortener programs are free for attackers as well and can be used to hide the malicious destination address in the link. You are less likely to click on a full URL of a malicious website than on a shortened URL for the same website which might appear genuine. An incident about how attackers used the Google shortener goo.gl to spread malware in twitter is talked about in this link.  Ben Schmidt, a computer science major from University of Tulsa, demonstrated the ease with which a DDOS (Distributed Denial of Service) attack can be made by creating his own URL shortener just by requiring the user to follow a link. This attack doesn’t even require the user to download any software[3]. Another kind of attack is when attackers create fake URL shorteners which result in malicious shortened URLs for a genuine URL link provided by a legitimate user.

This issue has been raised in McAfee’s threat predictions for 2011. It predicts that the growing number of URL shorteners on social media websites such as facebook and twitter will help attackers lead unassuming people to websites containing malware. It also presents a figure of 3000 shortened URLs generated per minute out of which a large number may be used for malicious purposes[1]. McAfee in the context of all these threats has recently launched its own URL shortener http://mcaf.ee/ which it claims uses Global Threat Intelligence to warn users of any malicious websites that the link may lead to.

There are quite a few websites providing free URL shorteners. I performed a small exercise where I took a lengthy URL link from www.amazon.com and shortened it using a few popular URL shorteners. Let us look at how we can ensure we safely shorten our URL’s before sharing them with others.

  1. In the case of http://tinyurl.com/ , the site gives users two options for short URL’s that can be used and shared with people. The first one is a shortened URL (http://tinyurl.com/3toahum). The second one is 8 characters more and is a preview URL which leads to a tinyurl webpage containing the full length URL. At this point the user can verify the full URL and then can choose to go to the proposed link.
  2. Using http://mcaf.ee/# which is McAfee’s URL shortener, the shortened URL I got is http://mcaf.ee/g0ktc. There were no additional options available for users. I think the idea is that McAfee will be able to detect and warn the user if the URL leads to any malicious website.
  3. https://bitly.com/ lets users customize the second part of the shortened URL. The first half contains the destination’s website name in short.  In this example, since I used a link to www.amazon.com , the shortened URL is http://amzn.to/o8yQiX. However, I have the option to customize the second part of it and can change it to http://amzn.to/forinfsecblog to more accurately reflect the site it is referring to. This method helps add vital details for users to identify this as a genuine and trustworthy URL link they are expecting.

In conclusion, tinyurl and bitly incorporated some measures that could be taken when creating a URL to assure people that it is a trustworthy and genuine URL and can help them differentiate between the good and the malicious ones.

Now, let us look at it from the other end. Imagine you received a shortened URL link and want to access the link. Below are some measures you can take to verify the authenticity of the link[2].

  1. Please be sure to hover over the shortened URL link to see if the full URL is specified. For instance, in Twitter the entire URL is revealed when you hover over the link. Browsers have plugins that have similar functionality that can be used for other websites as well.
  2.  A few websites such as http://www.unshorten.com/ and http://www.findhiddenurl.com/ can be used to display the full length URL for the user to verify.
  3. Users can also paste the shortened URL in a search engine and find information about the destination site before they make a decision.

I believe that users do not have to shy away from using these shortened URL’s as they can be very efficient and can help overcome some of the issues we face with lengthy URL’s. However, we certainly need to take some due diligence measures on our part to ensure we are not being misled.

__________________

1)     http://ilookbothways.com/2011/01/08/mcafee-threat-predictions-for-2011-geolocation-mobile-devices-and-apple-will-be-top-targets/

2)     http://www.earthlinksecurity.com/articles/shortened_links_safety/index.html

3)     https://www.infosecisland.com/blogview/10442-DDoS-Attacks-Possible-via-URL-Shortener.html

4)     http://ilookbothways.com/2010/02/11/mitigate-risks-when-using-shortened-url%e2%80%99s/

Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: