Architecture, Application Security, Strategy, Threat intelligence

Spammers exploiting trust in shortened URLs

July 8, 2009
The amount of spam containing shortened URLs has drastically increased recently, according to the latest statistics from Symantec.

Previously, shortened URLs -- miniature links swapped out for longer, original addresses -- were used in about 0.3 to 0.4 percent of all spam, Matt Sergeant, senior anti-spam technologist at Symantec's MessageLabs, told SCMagazineUS.com on Tuesday. During the middle of last week, however, junk mail containing the shortened links jumped to two percent of all spam.

The URLs mostly are part of spam campaigns for weight loss or male enhancement drugs, Sergeant said. If a user clicks the link in the spam, they are directed to sites that offer the products that spammers are advertising. Currently, these sites do not contain malware, but there's nothing stopping spammers from using malicious links in the future to expand the size of their botnets and the number of machines they control.

Shortened URL services, such as Bit.ly and TinyURL, mostly are known through Twitter, where they are used by members to meet the microblogging site's 140-character message limit, Sergeant said.

With bite-size URLs, the danger is that users cannot tell what website they are visiting, so they could potentially wind up at a malicious site hosting drive-by download malware, experts said.

“People need to be cautious of shortened URLs,” Sergeant said. "It doesn't give you any idea of where you end up or what sort of page you can land on."

Users also may be redirected to phishing sites or other spam-related material, Troy Gill, security analyst at security vendor AppRiver, told SCMagazineUS.com on Tuesday. And, scammers could potentially use the shortened links to bypass spam filters, because when the actual domain is not sent via email, the malicious link is more likely to evade some filters.

Also, shortening services typically do not check the link or utilize any CAPTCHA technology to prevent abuse, Gill said. Such ease of access enables cybercriminals to use automation to send their unsolicited messages.

Even the savviest computer users might fall prey to this threat given the trust that is often associated with shortened URLs, Gill warned.

Graham Cluley, senior technology consultant at security vendor Sophos, told SCMagazineUS.com on Wednesday that users should install a browser plug-in that turns shortened URLs into long URLs before actually going to a site. One such add-on that Cluley uses for Firefox is called “LongURL,” which, when a user hovers their mouse over the shortened URL, shows the full version of the link.

Sergeant warned that there have been shortened URL links on Twitter that have redirected users to sites hosting malware, phishing pages and spam-related material. In June, the Cligs URL shortening site was hacked, causing millions of links to redirect to the same site, though it was not deemed malicious.

prestitial ad