Security

URL shortening: Yet another security risk

URL-shortening services such as TinyURL and Bit.ly are becoming popular attack vectors. You may not want to automatically click on the shortened URL after you read this.

Originally, the process of URL shortening was developed to avoid broken URLs in e-mail messages. The increased popularity of instant messaging (IM) and Twitter has escalated the use of URL-shortening services like TinyURL and Bit.ly, especially Twitter with its 140 characters per message limit.

How they work

TinyURL, Bit.ly, and other Web sites that offer URL shortening are similar in how they work. All that's required is to:

  1. Go to the respective Web site.
  2. Copy/paste the actual URL into the appropriate field.
  3. Click on Shorten if you want the Web site to append a generic ending on the URL.
  4. If a custom URL is desired, enter your chosen ending and then click on Shorten.

Presto, you have a new shortened URL, as shown below.

From the slide you can see that the finished URL has little meaning and isn't visually related in any way to the official URL.

Potential phishing method

As with many applications that are helpful to normal law-abiding users, attackers and spammers tend to leverage that same usefulness for ill-gotten gain. URL-shortening services provide attackers and spammers with the following options:

  • Allow spammers to side step spam filters as domain names like TinyURL are automatically trusted.
  • Prevent educated users from checking for suspect URLs by obfuscating the actual Web-site URL.
  • Redirect users to phishing sites in order to capture sensitive personal information.
  • Redirect users to malicious sites loaded with drive-by droppers, just waiting to download malware.

As you can see, there are all sorts of opportunities for misuse, just because the victim has no idea where the shortened URL is pointing.

An example

Trend Micro has been very active in researching this particular attack vector and the following slides are borrowed from their Web site. The example uses a typical scam e-mail message to send the message recipient a bogus link. The first slide is the phishing e-mail message:

You may have noticed that the e-mail message displays the actual link instead of a truncated version. Attackers are cognizant of the fact that we as users are constantly told to copy and paste the URL into the browser instead of clicking on the link. So they use extremely long URLs, making the copy/paste as difficult as possible. Come on, why not click on the link, the URL looks right.

Power users who are a bit more paranoid may also check out the link's properties to see if the advertised URL makes any sense. That's why attackers now go through the additional effort to use services like Bit.ly and TinyURL. As it prevents the user from truly knowing where the link is pointing. Talk about cat and mouse.

The next slide shows the Web site the link points to and even though the Web site is a fake one, it's a fairly accurate representation of the bank's actual Web site:

So, if the victim is fooled, important log in information more than likely will be captured by the phisher.

That's old news

I dare say that most users aren't going to fall for the IM or e-mail message phishing exploit, even with the use of shortened URLs. Bad types know that as well and are shifting gears by leveraging the increased use of Twitter. Shortened URLs in tweets (Twitter messages) are so common place; it's almost an automatic response to click on them, which is exactly what a phisher/attacker wants.

Even better yet, many people use Twitter on their computers. Making URL-shortened links a simple yet effective way to send the computer to a phishing or malicious Web site without the user knowing what's going on. Not to be overly pessimistic, but security experts say it's only a matter of time before SMS-enabled phones will be exploited in the same manner.

There's hope

Every day, I get dozens of tweets that have shortened URLs. I twinge a bit; yet usually click on them if I want to learn more. I already know what you are going to say. I picked the sources that I want to follow, so I should trust them. Yes, No, Maybe?

Well, I'm happy to say that I know of at least two URL-shortening Web sites that offer a preview feature. This means the user can make an educated choice of whether to go to the link or not, because the full-length URL is displayed.

TinyURL preview feature

To initiate TinyURL's preview all that's required is to start your computer or smart phone's Web browser, go to TinyURL's Web site, and enable the preview opt-in feature. After that every time a TinyURL link is clicked, the browser immediately goes to a preview Web page like the one shown next:

TinyURL's preview didn't work when I used any of the Twitter client applications for my iPhone. For example, when I clicked a TinyURL link in Tweetie, it opened Safari and went straight to the linked Web page. That's not good, I'll have to remember to only open links in the SMS application.

Bit.ly preview feature

Bit.ly uses a slightly different approach. They have created an add-on for Firefox. Once it's installed, hovering over the URL-shortened Bit.ly link will open a window displaying the full-length URL. The add-on is still experimental, so before you can install it, you are required to log into the Mozilla Web site.

Previewing Bit.ly's shortened URLs on smart phones is a bit more complicated as Firefox is required. I know Firefox has a mobile Web browser for Windows Mobile 6, but I'm not using any Windows-based smart phones. So I'd appreciate hearing from you as to whether the Bit.ly preview works in the mobile Firefox browser or not.

Final thoughts

Many industry pundits say that we shouldn't click on active links, whether they're in e-mail messages, IM messages, or tweets. That's an unrealistic expectation; so just make sure to approach links (especially those with shortened URLs) with caution. If possible, use one of the preview features to check out the link first.

Remember when I mentioned that I should trust the sources that I'm following? Well, I'm researching another interesting twist to the URL-shortening attack vector. It seems that SMS spoofing sites can be used by attackers to send tweets that appear to be coming from someone that you are following. Stay tuned to find out what that means.

"Need to know" security news and advice delivered each Tuesday, TechRepublic's IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!

About

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks