Phishers favor TinyURL.com to hide Web destinations

We all know the value of short URLs. Certain forms of social media, most notably Twitter, have strict character limits on their content and when every character counts, you don’t want to be wasting them on  Web addresses. So if you can reduce a 64-character URL to 16 characters, chances are you’re going to do it. In addition, long URLs can be truncated in email messages, which can be annoying to both a sender and a recipient.

As is often the case with online convenience, though, it often invites abuse. That’s the case with short URLs. Internet miscreants have found that the unintelligible combinations of letters and numbers are a good way to disguise their intentions. You might be able to scan a full URL and detect irregularities that  tip a scammer’s hand, but that’s not the case with a short URL.

Black Hats “abuse these services to hide their phishing sites, malware or affiliate links,” one security firm observed recently in its company blog.

Of course, many of the services prohibit abuse of their offerings. They contain language like the following from an URL shortener called TinyURL:

          “TinyURL was created as a free service to make posting long URLs easier, and may only be used for actual URLs. Using it for spamming or illegal purposes is forbidden and any such use will result in the TinyURL being disabled and you may be reported to all ISPs involved and to the proper governmental agencies. This service is provided without warranty of any kind.”

But, it seems, the words in those stern warnings aren’t worth the electrons they’re made of.

          As one security firm points out: “Nobody seems to care about these terms, considering the amount of shortened URLs we see abused in illegal activities. At least, some of these services have started filtering all shortened links through special services. Overall, we see more and more spam using shortened URLs, anyhow.”

Other White Hats have seen that trend, too. Recently, security researchers have discovered increased use of short URLs in spam messages. At the end of June, for example, one lab found that the number of spam messages containing short URLs as bait ballooned from zero to three billion over a three day period, or 2.2 percent of all spam sent during the time frame. Currently, the short URLs are driving their victims to spam sites. Those detours may be vexing, but they’re relatively harmless. What concerns security pros, though, is that the practice will become popular with malware distributors. Those cyber bandits will direct their victims to websites that will instantly infect their targets or use one scam or another to pry sensitive personal information from them.

There are more than a score of sites that provide URL shortening services, which can make tracking them a chore. Nevertheless, some of the services appear to be more popular with spammers and malware mavens than others, as one analysis showed in a recent study of 22 of the services.

Topping the list as a favorite for phishers is TinyURL.com. Of all the shortened URLs leading to phishing pages, 41.30 percent of them were generated by TinyURL. That service has been around for ages in Internet terms. It was founded in 2002. It gained popularity over the years and was the preferred shortener for Twitter users until the short-message-service replaced it with Bit.ly in 2009.

Bit.ly, by the way, finished second among phishers as an URL shortener to be exploited, with 15.29 percent of all short URLs leading to phishing pages originating at Bit.ly.

Bit.ly, too, will lose its preferred status at Twitter. Sometime this summer, Twitter will be rolling out system-wide its own URL shortener, which  came online during the spring.

          “Since early March, we have been routing links within Direct Messages through our link service to detect, intercept, and prevent the spread of malware, phishing, and other dangers,” Twitter explained in a recent blog posting. “Any link shared in a Direct Message has been wrapped with a twt.tl URL. Links reported to us as malicious are blacklisted, and we present users with a page that warns them of potentially malicious content if they click blacklisted links.”

When it comes to short URLs that lead to malware pages, the leader is k.lm with 27.87 percent of the traffic. Notlong.com finished second with 27.05 percent of the flow and TinyURL, third, with 18.85 percent of the pages. Bit.ly finished fifth with 7.38 percent.