Malicious users may use URLS Shortening to obscure the identity of a link that they have sent to victims within a phishing email. Using link shortening to post malware and phishing links on social media sites is a very popular way to reach a wide audience of people who often click on things impulsively.
URL Shortening services such as ‘bit.ly’ and ‘goo.gl’ have been exploited by malicious users to deliver malware to their victims. URL shortening is the translation of a URL into an abbreviated alternative that redirects to the longer URL.
Short URLs are preferable for numerous reasons:
- Long URLs in text can make the accompanying message difficult to read.
- Links can break if they fail to wrap properly.
Although most email clients can now correctly handle long URLs, the use and popularity of shortening URLs has increased because of mobile messaging and social media websites, especially Twitter which has a character constraint. Services such as ‘bit.ly’ and ‘TinyURL’ allow users to shorten URLS and publish them online.
In addition to this, services sometimes provide users with the ability to customise the appearance of the short URL and track the traffic achieved through the URL.
Dangers of Shortened Links
Shortened links have the possibility of being dangerous because users don’t fully know what is behind “the link”. All the users can see is a condensed URL (unless the link is clicked and opened within a browser).
Shortened links obscure the end destination to make the link shorter. All users see in the short link is the link shortening service site name followed by a string of random numbers and letters.
Malicious users may use shortened links if they wanted to get their victim to visit a link that would install malware on their device. Users would be more inclined to click on ‘http://tinyurl.com/82w7hgf’ in comparison to ‘http://badguysite.123.this.is.a nasty.virus.and.will.infect.your.computer.exe.’
The shortened URL doesn’t have anything in it that would notify the user that it is a malware link, due to the obfuscation and format the shortened URL is delivered in. Even when a user hovers above the link, it does not show the true destination.
Since many phishing emails aim to provoke an emotional response from the recipient, some employees may hastily click on a short link.
Below is an example of what a short link may look like when incorporated into a phishing email – in this scenario it has been interpreted into a payroll orientated email. As the link is shortened, it obfuscates the destination.
This shortened link could lead to malware, once the link was clicked, it automatically downloads a malicious file onto the device. If the malware was installed on a device on the network, it could spread and infect multiple users compromising the network. Leading to further implications and potential losses
Due to the obscurity of shortened links, it is recommended that users check where the link is redirecting, prior to clicking on the link.
A simple tool https://wheregoes.com/ allows users to search a shortened link and determine where the short link goes to. Providing the user with an end URL and allows an educated decision to be made if they click on the link.