Short and often nasty
Spammers and malware pushers abuse URL shortening for a number of reasons. The obvious motivation is that they hide the nature of the destination URL in theory reducing the chances of it being blocked by filtering systems based on rule-based blacklists. But there is more to it than that; URL shortening also allows spammers to generate large numbers of unique URLS for the same web address, which for spamming scales in a hugely efficient way.
When security systems started checking where shortened links were leading, spammers started redirecting them through other shortened URLs on different services, sometimes introducing several layers of obfuscation in an attempt to hide the destination.
Now on Bit.ly
According to Cloudmark, better filtering by Twitter moved those spammers to the next best shortener, Bit.ly. Despite informing the service of its concerns, Bit.ly has apparently done little or nothing to block the malicious link it detected, Cloudmark said.
"Since the vast majority of Bitly links in email are malicious, Cloudmark may be forced to be more aggressive about filtering emails containing such links," wrote the firm in its report.
"It is possible that this may result in some legitimate newsletters containing these links being flagged as spam. If that happens, we recommend that the sender switch to using a URL shortener with a better reputation."
Most of this would be an inconvenience for large organisations that could simply filter shortened URL services but it's not that straightforward - many media and marketing-driven enterprises are heavy users of them, which of course is the main reason independent linkshortening services still exist. As it happens, of the thousands of firms using Bit.ly for this service, a number of being targeted by spammers, including CNN.it and AOL.it.
The motivation for this abuse is the fairly obvious one that users looking at what they think is a link to these services are more likely to click on them as trustworthy. Actually getting a CNN link to direct to a malicious domain turns out to involve the abuse of a script function on CNN.com that allows arbitrary links to be resolved anywhere on the Internet.
On a single day in January 2016, the CNN script was used to set up a peak of 8,800 malicious URLs in a single day, Cloudmark said (this function has now been disabled). AOL had a smaller problem in December.
URL shortening - are these services now too dangerous to use? Conclusion
A number of lessons jump out of the current condition of URL shortening services.
For end users and employees:
- Be extremely wary of all shortened URLs and remember that the destination of a malicious link may be obfuscated
Sign up for CIO Asia eNewsletters.