You may or may not know about TinyURL, which is a Web service that provides short aliases for the redirection of long URLs. The TinyURL homepage includes a form that's used to submit a long URL for shortening. For each URL entered, the server adds a new alias in its hashed database and returns a shortened URL.
For example, a good use of the TinyURL service would be changing the result from a Google search for Indian wonders:
hxxp://video.google.com/videosearch?hl=en&client=firefox-a&rls=org.mozilla:en-US:official&hs=rFy&ei=9rnESfWpHY6wNKHF8PUP&resnum=1&q=indian+wonders&um=1&ie=UTF-8&ei=-LnEScWJGtvfnQflxPRR&sa=X&oi=video_result_group&resnum=5&ct=title
…becomes:
http://tinyurl.com/cz6z88
This is really a great service, but as the saying goes, “those who make themselves seem great will attract bad things.” The popularity of TinyURL provides fraudsters with a golden opportunity to exploit the service. Attackers can take advantage of the system to make phishing URLs less suspicious to anti-phishing detection, since the shortened form of the phishing URLs will be totally unrelated to the targeted brands/websites. In a phishing scenario, this service is problematic to the recipients of phishing emails because this makes it difficult to mouse over a link and see exactly where it’s going.
Below is one such example that Symantec observed:
http://tinyurl.com/******
...redirects to:
http://lockerbie.glampers.net/icons/******/******/secure/cgi-bin/
There are numerous other online services doing the same thing. Bit.ly is the popular newcomer you may recognize from social media site posts. Some services, such as TinyURL and Bit.ly, have taken steps to block suspicious URLs—with mixed success. However, some of them don’t appear to even try.
There are a couple of methods available to detect and fight against this form of attack. Although these dwarf URLs make it difficult to mouse over a link to see the exact destination, if you suspect that a TinyURL link you've received might be hiding a malicious URL, you can check it out without clicking the link.
There are URL lengthening tools such as a Firefox extension that can divulge the target destination of a URL. TinyURL's preview feature allows you to substitute preview.tinyurl.com for tinyurl.com, which will give you a preview of the final link. For example, rather than http://tinyurl.com/cz6z88, use http://preview.tinyurl.com/cz6z88 instead. (You just need to paste the preview URL into your browser's address bar and press enter.) Also, you can turn the TinyURL preview feature on permanently in your browser by visiting http://tinyurl.com/preview.php and clicking on the link that says, "Click here to enable previews." You can similarly disable it later by going to the same page. You will need to do this for each browser you use if you use multiple browsers.
Likewise, Bit.ly offers a safe expansion page and a Firefox add-on. (The Firefox add-on is available here.) So, for this shortened URL,
http://bit.ly/1eWOcx
…you would enter this into your browser:
http://bit.ly/info/1eWOcx
…to get this information:
Spammers love it, too
Just as the fraudsters are exploiting these services, so are regular old spammers trying to sneak past mail filters in a similar way. TinyURL has been a particular favorite of spammers in recent years, with millions of messages blocked to date. Pornography sites and “online pharmacies” attempt to take regular advantage of the obfuscating effects, but we also see get-rich-quick schemes simply banking on the perceived legitimacy of the shortening service and using custom lookup tokens such as "CashMaking."
The problem becomes even more difficult to tackle when you consider that many legitimate newsletters have also started using URL shorteners. With more and more tracking information attached to multiple URLs, and with legitimate email distributions frequently outsourced, this no doubt seems like the logical solution. But, it’s abusing the trust factor—you recognize the shortened URLs from your social network, and if you haven't been burned yet, you are inclined to perceive them as legitimate domains.
Nor are these problems limited to the English-speaking world. Shortened URLs are equally effective in any language, and we regularly see spammers use them in Japanese, Italian, Russian, Chinese, and other languages. Fortunately, Symantec Security Response is able to react to these threats as they appear, and of course the payload URL is not the only way to identify spam.
Bloggers get involved
In the security business we've long been working to mitigate the risk behind the scenes. And now, thanks mainly to the explosive popularity of Twitter and friends, security bloggers are paying attention to the issue.
Joshua Schachter wrote up his thoughts a couple of weeks ago, sparking a lively discussion. David Weiss posted a related piece the same day, with lots of fascinating references. Then Jason Kottke joined the conversation, suggesting that sites such as Twitter do their own URL shortening. (All three via Daring Fireball.) Bit.ly has responded to the criticism on its own blog. And TechCrunch published a summary article with its own comment thread.
With social networking and user-generated content continuing their rapid expansion into the mainstream, trust is increasingly becoming the cornerstone of our digital lives. It's unlikely the URL shortening services will disappear—Bit.ly recently raised US$2M in venture capital—but they're definitely still in flux, and heightened awareness of the security implications should add positive pressure for innovation.
At Symantec, we're hard at work building technologies that ensure a safe and secure online experience. But even today, smart digital habits make a big difference. The increased scrutiny of URL shorteners is a timely reminder: if you don't trust the sender, don't click on the link.
Note: A big thanks to my colleague Kevin Frost for his contributions to this article.