Spammers and malware pushers are still heavily abusing URL shortening services, messaging security firm Cloudmark has reported in its 2015 annual security report (reg required). The popular Bit.ly service has recently become a particular favourite with criminals with 25,000 individual malicious links run though that service every single day in recent times. This sounds alarming but it gets worse. According to the firm, this meant that an extraordinary 97 percent of Bit.ly links now led to malicious websites.
Bit.ly, let us remind ourselves, is one of the URL services normally thought of as having a good reputation.
Meanwhile, on the receiving end of this tide of malicious URLs, there is no sign that the average employee has a clue how risky this kind of link can be. Little of this is new, indeed URL shortening services have had a problem reputation from their earliest days, but it is extraordinary that years later and the problem of how to defend against them is still a live issue.
URL shortening - a little history
URL shortening gained traction as websites grew larger and the content management systems underpinning them more complex. URLs and the variables embedded within them grew. By the time Twitter and the 160-character limit caught on in 2009, the benefits of URL economy was self-explanatory. URL shortening boomed led by top dogs such as Bit.ly, TinyURL,Ow.ly, and in late 2010, Google's Goo.gl.
On the surface it was a simple business model. URL shorteners didn't charge end users to shorten URLs, of course, but could gather a lot of valuable data about the people using them. They could also sell corporate URL shortening domains built on their service.
The flip side is that from the very start URL shortening services were abused by spammers and malware pushers to the extent that many large numbers became so polluted whole services were blacklisted. Many disappeared as a result of abuse so bad whole services were seen as toxic. The whole market became tarnished with a suspect image, not helped by the issue of link rot when it became apparent that shortened URLs were only good for a defined period of time before they expired.
Services that depended on URLs sensed danger and in 2011 Twitter launched its own t.co service which embedded all links as 19 characters. In theory this gave the service control over linking with the service although Cloudmark reported that half of all the spam shortened URLs it saw during the summer of 2014 was for t.co. These days every link run through Twitter is wrapped in a t.co address regardless of how it was created, a major reason why third-party URL shortening services have become less apparent.
Sign up for CIO Asia eNewsletters.