Free WordPress Security Mini Course

Bit.ly and URL Shorteners Assist With Email Spam

It’s hard to say who is worse… hackers or spammers? Since many of them probably both hack and spam, let’s just clump them all as “The Evil Scum of The Earth”.  You see news stories all the time about burglaries, rapes, identity theft, and many other terrible and horrible things. (It’s really quite depressing to watch the news most days isn’t it?) So why don’t we see more news stories about the criminal activities that affect all of us on a daily basis… hacking and spamming?

Now I’m not trying to downplay the severity of the news stories mentioned above. And I’m definitely not saying that those news stories are not important. They are all terrible crimes and newsworthy, but why don’t we see a few more stories about things that affect our computers and our time each and every day. We should all be aware of things on the news and do our best to set up defenses against those things, but why don’t we see more education on junk mail, viruses, phishing, website hacks, and other evil technology crimes?

When I turned on my computer this morning I had over 400 spam email messages in my junk mail. And another 3 emails managed to sneak by my spam filters. I had emptied my junk folder less than 12 hours earlier, so that statistic is pretty much a daily statistic. Then I opened my virus scan reports and saw that my antivirus program blocked several virus attacks while I was sleeping. I wasn’t even browsing the Internet and I still had attacks on my machine! Doesn’t that just make you want to scream in anger?

I guess we are all just accustomed to seeing a junk mail folder full and we generally don’t even know when our websites get hacked until hours or even days after it happens. So much like how we as a society are “hardened” or accustomed to seeing terrible news stories on the nightly news, we just shrug off technology crimes and write them off as “normal” occurrences and move on with our day.

What about URL shorteners?

URL shortening services such as bit.ly and tinyurl.com, which have blossomed with the advent of Twitter, are increasingly being used by spammers to mask malicious links. You’ve seen these short URLs just about everywhere. Even mainstream media services are implementing them. So it’s virtually impossible to distinguish a legitimate short URL from a malicious URL.

The potential dangers and risks

With these shortened URLs you are no longer able to see directly where your browser will be going. Shortened URLs could lead to the following security risks:

  • websites that host malware, trojans and other malicious programs
  • websites that could exploit security risks in a browser or system
  • websites that contain phishing attempts and try to steal personal information
  • websites that contain phishing attempts by social interaction
  • websites that are being used in spam campaigns

Yikes! That’s scary stuff. It could easily be a headline “60 Minutes” news story right?

So how do we fix the problem?

One solution would be for email spam filters and antimalware software to analyze and validate the real link behind the shortened URL. The downside of this solution would be the amount of time it takes a page to load. If a page or email has several links, it could take time for the filter of software to analyze the URL. It can also get tricky if the spammer used a shortened URL that was shortened from 1 or more other URL shortening services. In other words, they could have a chain of several shortened URLs the filters would have to analyze.

While search engines like Google and Yahoo and many other spam filters and antimalware services are already working hard to fix this problem for their users, there isn’t a great solution in place yet.

Here’s the real solution…

Users simply need to be aware of the increased threat posed by shortened URLs and exercise more discretion and common sense when clicking on them. Did you hear that? Use common sense!

If someone emails you that you haven’t heard from in years…

  1. Don’t open the email
  2. If you did open the email, don’t click links (especially shortened URLs)

If someone you know well emails you with a shortened URL…

  1. You probably know them well enough to respond with your concern about opening the URL and ask them to send you the full URL

If you see a shortened URL in the page content of a major media website, you are probably OK to click it unlesss…

  1. If you see a shortened URL in the comment section of any website, be cautious. Especially if you don’t know the person that left the URL.

If you see shortened URLs on Twitter, Facebook, or other social media sites…

  1. This is hard to say since they all use shortened URLs (this is the primary reason why they exist in the first place)
  2. If you know the person well, you may be OK to click the link (unless their account got hacked… more reason for you to spread the word and educate them on proper security!)
  3. If you don’t know the person well or it’s a completely new contact, don’t click the link

In summary, it’s difficult to know what to do with shortened URLs. You have to use discretion on what links you click, have proper antimalware software in place, and then help spread the word to educate users on the use of shortened URLs.

Top 25 URL Shorteners:

snipr.com
budurl.com
bit.ly
short.to
twurl.nl
chilp.it
fon.gs
ub0.cc
snurl.com
fwd4.me
short.ie
a.gd
hurl.ws
kl.am
to.ly
hex.io
tr.im
cli.gs
urlborg.com
is.gd
sn.im
ur1.ca
tweetburner.com
tinyurl.com
snipurl.com

More good resources on the topic of URL shorteners:

Leave a Reply