Destination Unknown: Shortened URLs and your Security

shortURLDo you use social media to keep up with family and friends? How about to read and share mind blowing articles (like the ones here on the ZoneAlarm blog)? Either way, if you hang around social media at all, chances are you have encountered and clicked on shortened URLs even if you weren’t aware of it. But as useful as shortened URLs are, they can easily be corrupted by hackers and scammers.

A primer on URLs

 

To understand what URL shorteners do and how they can be manipulated, let’s start by understanding what URLs are. A URL is a Uniform Resource Locator – or more simply put, the exact address of the webpage you are requesting or viewing. So just like your address may be The Baxter Building, 42nd street, Madison Avenue, Manhattan (and if it’s not, don’t worry, just play along with the example anyway), webpages all have their own address where they “live”. URL shortener services take these addresses and shorten them.

 

These super small URLs play an important role in the social media-o-sphere, keeping links within posts neat and tidy, which on a service like Twitter is of prime importance – with only 140 characters to use per post, the shorter, the better. Shortened links are also useful for tracking metrics about who clicked on links and how links are shared, all of which helps brands streamline their individual content strategies.

 

Destination unknown

 

The problem is that because the link is truncated, the person clicking on it can’t see where they will be directed to. In general, hovering over a link will tell you where that link leads to, but this isn’t the case with shortened URL’s – when you hover over a short URL, it doesn’t tell you any more information about its destination than the shortened URL itself does. To a hacker, this is a golden opportunity. For years, hackers have been playing around with different methods to get innocent victims to click on dangerous links to get them to download viruses and other dangerous malware. Shortened URLs, as it turns out, are the perfect place to hide all that nasty stuff, because people aren’t expecting to see a URL that actually makes sense on platform like Twitter. With the true destination obfuscated, a hacker can send a “clicker” anywhere on the web.

 

A few years back this trend of stuffing shortened URLs with malware became a number one tactic among baddies. The huge proliferation of shortening services like ow.ly, bitly, goo.gl, y.ahoo.it, lnkd.in and tinyurl turned into havens for criminals.

 

On social media crooks began to use these short links in conjunction with clickbait. Clickbait is anything that compels you to click on a link. So a hacker posts something on Facebook or Twitter. The picture and the title of the post all lead the reader to believe that it’s regarding a new study that “proves beyond a shadow of a doubt that eating brownies and ice cream all day will give you a killer six pack!”  But the accompanying and obfuscated link directs them to a page full of malware.

 

Keep away… or not

 

Eventually the situation became so problematic that people just started staying away from using shortened links, which could have been detrimental to a platform like Twitter, which depends on microposts, or super-short posts. In 2011, Twitter started its own shortening service, t.co, which in theory should have meant that they had some amount of control over the content in links. But according to security firm Cloudmark, half of all the spam it tracked coming in through link shorteners in 2014 came in via t.co.

 

But its not only t.co that is problematic. Recently, Google short links were subverted with malware  that led people to download the super nasty Cryptowall ransomware and according to Cloudmark, Bitly, the number one shortener service, shortening over 1 billion links per month, is constantly being used to send out malicious links. Still and all, people continue to click on shortened links and hackers continue to use the method.

 

Many shorteners now have built in scans to try to root out dangerous links. While their methods have not proved to be all that successful, hackers have recently been found setting up their own fake URL shortening websites, in hopes of luring in additional victims.

 

So how can you make sure the shortened URLs you click on are safe?

 

  • First and foremost, use common sense. It doesn’t take a rocket scientist to keep away from potentially dangerous clickbait, just a bit of caution and self-control

 

  • Websites like Longurl reverse the process – so put in the short URL in question and it will display the full address of its destination.

 

  • Make sure your antivirus program is fully updated and determine that your chosen software is doing its job effectively. The difference between a second rate program and a top notch antivirus program can be the determining factor in your digital security.

 

  • Only click on links from trusted sources. This will save you much heartache in the end.

 

  • Both Chrome and Firefox have extensions that allow you to expand shortened URLs from right inside your browser.

 

These threats aren’t new but hackers are constantly evolving and upping their game. And since things are not always how they appear to be, especially in the digital world, we need to be constantly on the lookout for developing trends. Keeping your thinking cap on and using the right tools can help you stay safe in the evolving digital landscape.