Share

URL shortening services are still being abused by spammers on an industrial scale

Spammers and malware pushers are still heavily abusing URL shortening services, messaging security firm Cloudmark has reported in its 2015 annual security report (reg required). The popular Bit.ly service has recently become a particular favourite with criminals with 25,000 individual malicious links run though that service every single day in recent times. This sounds alarming but it gets worse. According to the firm, this meant that an extraordinary 97 percent of Bit.ly links now led to malicious websites.

Bit.ly, let us remind ourselves, is one of the URL services normally thought of as having a good reputation.

Meanwhile, on the receiving end of this tide of malicious URLs, there is no sign that the average employee has a clue how risky this kind of link can be. Little of this is new, indeed URL shortening services have had a problem reputation from their earliest days, but it is extraordinary that years later and the problem of how to defend against them is still a live issue.

URL shortening - a little history

URL shortening gained traction as websites grew larger and the content management systems underpinning them more complex. URLs and the variables embedded within them grew. By the time Twitter and the 160-character limit caught on in 2009, the benefits of URL economy was self-explanatory. URL shortening boomed led by top dogs such as Bit.ly, TinyURL, Ow.ly, and in late 2010, Google’s Goo.gl.

On the surface it was a simple business model. URL shorteners didn’t charge end users to shorten URLs, of course, but could gather a lot of valuable data about the people using them. They could also sell corporate URL shortening domains built on their service.

The flip side is that from the very start URL shortening services were abused by spammers and malware pushers to the extent that many large numbers became so polluted whole services were blacklisted. Many disappeared as a result of abuse so bad whole services were seen as toxic. The whole market became tarnished with a suspect image, not helped by the issue of link rot when it became apparent that shortened URLs were only good for a defined period of time before they expired.

Services that depended on URLs sensed danger and in 2011 Twitter launched its own t.co service which embedded all links as 19 characters. In theory this gave the service control over linking with the service although Cloudmark reported that half of all the spam shortened URLs it saw during the summer of 2014 was for t.co. These days every link run through Twitter is wrapped in a t.co address regardless of how it was created, a major reason why third-party URL shortening services have become less apparent.

Short and often nasty

Spammers and malware pushers abuse URL shortening for a number of reasons. The obvious motivation is that they hide the nature of the destination URL in theory reducing the chances of it being blocked by filtering systems based on rule-based blacklists. But there is more to it than that; URL shortening also allows spammers to generate large numbers of unique URLS for the same web address, which for spamming scales in a hugely efficient way.

When security systems started checking where shortened links were leading, spammers started redirecting them through other shortened URLs on different services, sometimes introducing several layers of obfuscation in an attempt to hide the destination.

Now on Bit.ly

According to Cloudmark, better filtering by Twitter moved those spammers to the next best shortener, Bit.ly. Despite informing the service of its concerns, Bit.ly has apparently done little or nothing to block the malicious link it detected, Cloudmark said.

“Since the vast majority of Bitly links in email are malicious, Cloudmark may be forced to be more aggressive about filtering emails containing such links,” wrote the firm in its report.

“It is possible that this may result in some legitimate newsletters containing these links being flagged as spam. If that happens, we recommend that the sender switch to using a URL shortener with a better reputation.”

Brand abuse

Most of this would be an inconvenience for large organisations that could simply filter shortened URL services but it’s not that straightforward – many media and marketing-driven enterprises are heavy users of them, which of course is the main reason independent link shortening services still exist. As it happens, of the thousands of firms using Bit.ly for this service, a number of being targeted by spammers, including CNN.it and AOL.it.

The motivation for this abuse is the fairly obvious one that users looking at what they think is a link to these services are more likely to click on them as trustworthy. Actually getting a CNN link to direct to a malicious domain turns out to involve the abuse of a script function on CNN.com that allows arbitrary links to be resolved anywhere on the Internet.

On a single day in January 2016, the CNN script was used to set up a peak of 8,800 malicious URLs in a single day, Cloudmark said (this function has now been disabled). AOL had a smaller problem in December.

URL shortening – are these services now too dangerous to use? Conclusion

A number of lessons jump out of the current condition of URL shortening services.

For end users and employees:

- Be extremely wary of all shortened URLs and remember that the destination of a malicious link may be obfuscated

- Some shortened link services have a better reputation than others

- Services exist to reveal the destination of shortened URLs, for example X-Ray. These will reveal the destination domain underneath the apparently harmless short URL.

For enterprises:

- If using corporate URL shortening, a mechanism for abuse feedback is essential, whether this is via a third-party or carried out by the company itself

- Use one with a decent reputation and the ability to scan for abuse such as Goo.gl