URL shortener

Shortcut Express to Infected & Phishing Websites

URL shorteners are a relatively new Internet service. As many social services on the Internet impose character limitations (Twitter is a prime example), these URL are very practical…

For example, you’d spend 64 characters to point to Wiki’s article about URL shorteners: http://en.wikipedia.org/wiki/URL_shortening. With an URL shortener, you can cut that down to 16 characters: http://bit.ly/c1htE.

URL shorteners, however, can be used to hide the real target of a link. Cyber criminals appreciate this “feature” – and use it to hide links to phishing or infected websites. These services usually have terms and conditions comparable to TinyURL:

TinyURL was created as a free service to make posting long URLs easier, and may only be used for actual URLs. Using it for spamming or illegal purposes is forbidden and any such use will result in the TinyURL being disabled and you may be reported to all ISPs involved and to the proper governmental agencies. This service is provided without warranty of any kind.

Few seem to care about these terms, which are regularly flaunted in the pursuit of profit. Happily, however, certain services have started to filter shortened links through special services, even if this has so far failed to stem the flow of shortened SPAM URLs.

Below are statistics with the percentage of malicious links identified on 22 popular URL shortener services:

Phishing

Malware

#Shortener%Shortener%
1tinyurl.com41.30k.im27.87
2bit.ly15.29notlong.com27.05
3r2me.com12.04tinyurl.com18.85
4snipurl.com7.16cli.gs7.38
5lu.mu6.50bit.ly7.38
6doiop.com4.52doiop.com4.10
7notlong.com3.55ad.ag2.46
8is.gd1.93is.gd1.64
9tiny.cc1.81tr.im0.82
10sn.im1.69snipurl.com0.82
11k.im0.96ow.ly0.82
12shorl.com0.66dwarfURL.com0.82
13tr.im0.60zi.ma0.00
14goo.gl0.54u.nu0.00
15ow.ly0.48tiny.cc0.00
16cli.gs0.30sn.im0.00
17u.nu0.18shorl.com0.00
18moourl.com0.18r2me.com0.00
19idek.net0.12moourl.com0.00
20dwarfURL.com0.12lu.mu0.00
21zi.ma0.06idek.net0.00
22ad.ag0.00goo.gl0.00

Source: Avira Virus Lab, taken from the month of July, 2010.

Shortened Links Can Mask A Threat

To give you an example, would you click on the following link?

www.ssl-albion-netbank.com/143.027.902

Probably not… The bank’s made-up name and use of random numbers would rightly give you misgivings. However, under a shortened guise – http://goo.gl/mDNuMg – one would not know that it’s a phishing website (in this case, a dead link).

Recommendations:

The bottom line is that if you can, avoid clicking on shortened URL links. If you do need to click on shortened links, copy and paste the link into a link lengthener – such as http://longurl.org/, which displays the full version of the links without having to click on it (exists also as a browser extension for Chrome and Firefox).

Finally, we recommend you equip yourself with Avira’s free Browser Safety extension, also for Chrome and Firefox, which blocks infected websites before they load. To learn more about Browser Safety, visit Avira’s website here: https://www.avira.com/en/avira-browser-safety

This post is also available in: German

Avira, a company with over 100 million customers and more than 500 employees, is a worldwide leading supplier of self-developed security solutions for professional and private use. With more than 25 years of experience, the company is a pioneer in its field.