Malware

URL shortening: Yet another security risk

URL-shortening services such as TinyURL and Bit.ly are becoming popular attack vectors. You may not want to automatically click on the shortened URL after you read this.

Originally, the process of URL shortening was developed to avoid broken URLs in e-mail messages. The increased popularity of instant messaging (IM) and Twitter has escalated the use of URL-shortening services like TinyURL and Bit.ly, especially Twitter with its 140 characters per message limit.

How they work

TinyURL, Bit.ly, and other Web sites that offer URL shortening are similar in how they work. All that's required is to:

  1. Go to the respective Web site.
  2. Copy/paste the actual URL into the appropriate field.
  3. Click on Shorten if you want the Web site to append a generic ending on the URL.
  4. If a custom URL is desired, enter your chosen ending and then click on Shorten.

Presto, you have a new shortened URL, as shown below.

From the slide you can see that the finished URL has little meaning and isn't visually related in any way to the official URL.

Potential phishing method

As with many applications that are helpful to normal law-abiding users, attackers and spammers tend to leverage that same usefulness for ill-gotten gain. URL-shortening services provide attackers and spammers with the following options:

  • Allow spammers to side step spam filters as domain names like TinyURL are automatically trusted.
  • Prevent educated users from checking for suspect URLs by obfuscating the actual Web-site URL.
  • Redirect users to phishing sites in order to capture sensitive personal information.
  • Redirect users to malicious sites loaded with drive-by droppers, just waiting to download malware.

As you can see, there are all sorts of opportunities for misuse, just because the victim has no idea where the shortened URL is pointing.

An example

Trend Micro has been very active in researching this particular attack vector and the following slides are borrowed from their Web site. The example uses a typical scam e-mail message to send the message recipient a bogus link. The first slide is the phishing e-mail message:

You may have noticed that the e-mail message displays the actual link instead of a truncated version. Attackers are cognizant of the fact that we as users are constantly told to copy and paste the URL into the browser instead of clicking on the link. So they use extremely long URLs, making the copy/paste as difficult as possible. Come on, why not click on the link, the URL looks right.

Power users who are a bit more paranoid may also check out the link's properties to see if the advertised URL makes any sense. That's why attackers now go through the additional effort to use services like Bit.ly and TinyURL. As it prevents the user from truly knowing where the link is pointing. Talk about cat and mouse.

The next slide shows the Web site the link points to and even though the Web site is a fake one, it's a fairly accurate representation of the bank's actual Web site:

So, if the victim is fooled, important log in information more than likely will be captured by the phisher.

That's old news

I dare say that most users aren't going to fall for the IM or e-mail message phishing exploit, even with the use of shortened URLs. Bad types know that as well and are shifting gears by leveraging the increased use of Twitter. Shortened URLs in tweets (Twitter messages) are so common place; it's almost an automatic response to click on them, which is exactly what a phisher/attacker wants.

Even better yet, many people use Twitter on their computers. Making URL-shortened links a simple yet effective way to send the computer to a phishing or malicious Web site without the user knowing what's going on. Not to be overly pessimistic, but security experts say it's only a matter of time before SMS-enabled phones will be exploited in the same manner.

There's hope

Every day, I get dozens of tweets that have shortened URLs. I twinge a bit; yet usually click on them if I want to learn more. I already know what you are going to say. I picked the sources that I want to follow, so I should trust them. Yes, No, Maybe?

Well, I'm happy to say that I know of at least two URL-shortening Web sites that offer a preview feature. This means the user can make an educated choice of whether to go to the link or not, because the full-length URL is displayed.

TinyURL preview feature

To initiate TinyURL's preview all that's required is to start your computer or smart phone's Web browser, go to TinyURL's Web site, and enable the preview opt-in feature. After that every time a TinyURL link is clicked, the browser immediately goes to a preview Web page like the one shown next:

TinyURL's preview didn't work when I used any of the Twitter client applications for my iPhone. For example, when I clicked a TinyURL link in Tweetie, it opened Safari and went straight to the linked Web page. That's not good, I'll have to remember to only open links in the SMS application.

Bit.ly preview feature

Bit.ly uses a slightly different approach. They have created an add-on for Firefox. Once it's installed, hovering over the URL-shortened Bit.ly link will open a window displaying the full-length URL. The add-on is still experimental, so before you can install it, you are required to log into the Mozilla Web site.

Previewing Bit.ly's shortened URLs on smart phones is a bit more complicated as Firefox is required. I know Firefox has a mobile Web browser for Windows Mobile 6, but I'm not using any Windows-based smart phones. So I'd appreciate hearing from you as to whether the Bit.ly preview works in the mobile Firefox browser or not.

Final thoughts

Many industry pundits say that we shouldn't click on active links, whether they're in e-mail messages, IM messages, or tweets. That's an unrealistic expectation; so just make sure to approach links (especially those with shortened URLs) with caution. If possible, use one of the preview features to check out the link first.

Remember when I mentioned that I should trust the sources that I'm following? Well, I'm researching another interesting twist to the URL-shortening attack vector. It seems that SMS spoofing sites can be used by attackers to send tweets that appear to be coming from someone that you are following. Stay tuned to find out what that means.

"Need to know" security news and advice delivered each Tuesday, TechRepublic's IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!

About

Information is my field...Writing is my passion...Coupling the two is my mission.

66 comments
alex.thomas1982
alex.thomas1982

With the phenomenal growth of twitter the lack of transparency with short url's is becoming an increasing issue in modern day browsing security. Not knowing where you're going to end up is at best annoying and at worst down right dangerous. Although a few shortening services offer preview features you can obviosuly only inspect their urls. There are some firefox extensions that automatically expand these urls, and also a web service http://www.expandmyurl.com that previews and lengthens urls from over 30 different shortening services.

pgit
pgit

I use Linux, and even open known viral links on occasion for research. That said, I get one known good set of truncated links daily ( a news service) so even if I were a windows user I'd trust those links. But of course 99% of my users are quite vulnerable to this, (and their own stupidity) so I've noted it and will pass the info along. Thanks again, Michael. It dawns on me a "digest" of important information circulated on Tech Republic geared toward the average end user might be marketable. Someone could write up the pertinent warnings in laymen's terms and give links to more in depth info. If such a thing had an online presence I'd make it the home page on all client's browsers. It's impossible to warn a windows user too much...

Michael Kassner
Michael Kassner

First, Deepsand kindly pointed out a Web site that will expand URLs from several URL shortening services. Thanks Deepsand. http://longurl.org/ I haven't had time to test it, so please make sure to check the results with known good sources like TinyURL. Second, my next article about Twitter spoofing is out and I'd love to learn what you all thought about it. http://blogs.techrepublic.com.com/security/?p=1065

deepsand
deepsand

http://longurl.org/ has various tools, including an on-site URL expander, a web site plug-in, a FF extension, a Greasemonkey script, and an API. Supported services include tinyurl.com, is.gd, ping.fm, ur1.ca, bit.ly, snipurl.com, tweetburner.com, metamark.net, url.ie, x.se, 6url.com, yep.it, & piurl.com

tom_briscoe
tom_briscoe

What these legitimate sites should do is set up a fake account with a fake password. Respond to these phishing sites with the fake account information. When the fake account is accessed, use their IP address to identify who or from where the perpetrator resides. They could block that IP or use some other means to counter them. At the very least, they would know what other accounts have been compromised.

Michael Kassner
Michael Kassner

Twitter automatically converts URLS to TinyURLs without asking to do so. Has anyone else noticed that?

jsaubert
jsaubert

Normally I don't click shortened URLs unless I'm expecting that type of address. And I certainly never click on them from places that have no reason to be using a short URL service, like a regular bolg post or forum reply. The only place I even remotely "trust" them is via mico-bloging sites that limit the number of characters in you message, for example Twitter. Unfortunately people are relying more and more on TinyURL and the like due to the limitations of their chosen communication tool; forum signatures are also falling victim to this as well. This tactic to trick people where the address shown is something like your bank site but the actual link is to a phishing site only makes melook at the status bar before I follow any link. It's just the same ol' wolf in a new sheepskin.

santeewelding
santeewelding

Completely, entirely, wholly distrustful. Am I sure this is Michael? He has me questioning me.

CharlieSpencer
CharlieSpencer

The great prognosticator has foreseen the disaster and told of it in prose! All hail!

santeewelding
santeewelding

Join -- lend your, ahem, seniority -- to that of life and death, seeing as how you have lasted this long, unless by sheer flucking luck.

Michael Kassner
Michael Kassner

Thanks, it all boils down to us humans and how inquisitive we are.

jsaubert
jsaubert

I'll have to try that site out and see how it goes. Thank you again.

Michael Kassner
Michael Kassner

All my research and I didn't find that site. Humbled yet again. Perchance have you tested it? I'd hate to have that site belong to bad guys. Thanks for sharing that information. It will make it easier for people with smart phones now. Hope you are feeling better too.

Michael Kassner
Michael Kassner

Hello, Tom The nasty types change addresses way to often. Besides, the problem is that the legitimate sites aren't usually involved. It security types that hunt down the bogus sites and down what they can to get the word out about them.

CharlieSpencer
CharlieSpencer

"When the fake account is accessed, use their IP address to identify who or from where the perpetrator resides. They could block that IP or use some other means to counter them." The bad guys change IP addresses randomly and -very- frequently.

jsaubert
jsaubert

It's been doing that for a while ... sort of annoying.

CharlieSpencer
CharlieSpencer

I started wondering about this a couple of years ago. A new 'member' here included a shortened link in his post (blue can, yellow font, four letters, rhymed with 'Cram', as in up his orifice). I realized I had no idea where it went, and that I was doing the same to others. I quit immediately and now only use short links when specifically requested to do so.

Michael Kassner
Michael Kassner

It's fresh and the reason why I wanted to write the article. You would be surprised at the number of people who didn't understand that deception was possible using URL shortening.

Michael Kassner
Michael Kassner

I mentioned the preview option for TinyURL, so I'm not sure what you mean?

Michael Kassner
Michael Kassner

I thought about that, but I was more focused on the security issues. Thanks for the link.

deepsand
deepsand

invite my attentions. Wit trumps bad luck.

deepsand
deepsand

Used various known good tinyURLs; all ok. Feeling better/not better from day-to-day, minute-to-minute; rollercoaster ride is beginning to wear me down.

Michael Kassner
Michael Kassner

I was also very leery of them almost immediately, but they weren't very prevalent. Now just about every Twitter message has one and it's difficult not to click on them.

Jaqui
Jaqui

I missed it, which is quite likely, it's the end of a long day for me. :)

santeewelding
santeewelding

With the others. Please. Be well. I have allowed me the diminishment of all distance from you. Includes cervical, thoracic, lumbar, and sacral, with which many of us have issues, including me. The LongURL FF extension is but a pretext -- for my text, and that of the others.

deepsand
deepsand

Up to now, I've relied solely on TinyURL's Preview feature. The LongURL FF extension not only provides for a faster means of vetting a link, but also provides for doing so for a variety of truncated URLs.

Michael Kassner
Michael Kassner

I've been talking to Sean and it seems like a great add on and trustworthy IMO.

Michael Kassner
Michael Kassner

You find the needed information, Sean. I'm contacting the other Sean about his new add on that integrates the URL check into the browser.

seanferd
seanferd

And thanks for the info.

Michael Kassner
Michael Kassner

Good point. I see where some are incorporating the best of both worlds.

jsaubert
jsaubert

I'm not all that thrilled with Twitter either, but it's becoming more of a necessary evil every day. People are abandoning their RSS feeds for Twitter.

CharlieSpencer
CharlieSpencer

I spent more time editing (what little I though was of interest to others) to fit within the limit than I spent on the activity I was describing.

Michael Kassner
Michael Kassner

The character limit requires more thought and focus. I think that's why I like it.

CharlieSpencer
CharlieSpencer

My wife doesn't think so! Don't bother looking for them. Suffice to say that I don't see any advantage to Twitter vs. other, older electronic formats.

Michael Kassner
Michael Kassner

I will definitely check them out. Your opinion is valuable.

CharlieSpencer
CharlieSpencer

My feelings about Twitter have been well documented here (Hi Jason!).

Michael Kassner
Michael Kassner

I bet it wouldn't be hard to make part of the dropper code disable that feature in the cookie. Or actually just delete the cookie would work too, right?

Jaqui
Jaqui

I enabled it after clicking the preview link, and saw the url before enabling the previews. :D maybe we should poke tinyurl to only offer the preview link from now on, because of use of the non preview by phishers and pharmers.

Michael Kassner
Michael Kassner

Did you check? I don't want to miss anything, as this is pretty important. It's already being exploited along with SMS spoofing.