An Open Howl to Senator Tester and Representative Simpson
Top 10 Advanced Persistent Threats

Do URL shortener services generate "safe" URLs?

URL shortener services, whether web-submission forms or embedded capabilities in blogs and Twitter, are a blessing because they take a long hyperlink and make it smaller and convenient for messaging service with character limits. They are a bane because the shortened URL obfuscates the original URL. Shortened URLs as useful to phishers or spammers as they are to tweeters, bloggers, and email users, because:

  • the shortened URL conceals the original, spammy/phishy URL from users (this is the same effect that spammers and phishers hope to achieve by embedding URLs in HTML email)
  • users may believe that their shortener service is trustworthy, or
  • that all services take measures to prevent a spam or phish URL from being shortened.

The sad reality is that popular URL shortener services come up short when it comes to generating "safe" short URLs.

Safetly Testing Shortened URLs

In March 2011, I ran a greatly simplified set of checks based on the testing reported by StopTheHacker in February 2010. First, I went to SURBL and grabbed the list of services that claimed to use SURBL block lists. Some of these were sign up sites, so I  chose additional URL shortener services from  lists enumerating the most popular services [1, 2] to get to a nice round 11 (a baker's ten?).  I then identified 4 malicious URLs from SURBL, PhishTank, and Spamhaus and tried to shorten these 4 URLs using each of the 11 services.

The results are summarized in the table below. You'll note that some services claim to use SURBL but did not block the SURBL URL. These services may have changed their practice and did not inform the SURBL team or perhaps that they cache block lists rather than perform checks each time they shorten a URL. You'll also note that some services block fresh Spamhaus spam URLs but not suspended domains. It's possible that some services will convert a correctly formed URL without checking if the domain is spammy/phishy or even if the domain name resolves. Since "allowed" is not a desirable result, I didn't pursue this further.

Service Uses SURBL SURBL-listed
Domain
URL listed on
Phishtank
Suspended Domain
on Spamhaus DBL
Spamhaus DBL
(fresh spam )
bit.ly YES
 allowed   allowed   allowed   allowed 
cli.gs ?  blocked
 blocked
 blocked 
 blocked 
Delivr.com YES  blocked
 allowed   blocked 
 blocked 
goo.gl NO
 allowed 
 allowed 
 allowed   allowed 
is.gd YES  blocked 
 allowed   blocked 
 blocked 
notlong.com YES  blocked 
 allowed   blocked 
 blocked 
ow.ly ?  allowed   blocked
 allowed   allowed 
safe.mn YES  blocked 
 blocked 
 blocked 
 blocked 
snipURL.com YES  blocked 
 allowed 
 allowed   allowed 
TinyURL.com YES  allowed   allowed   allowed   blocked 
x.co NO
 allowed   allowed   allowed   allowed 

Notes:

allowed indicates that the service did not prevent the shortening of a block listed URL.
allowed indicates that the service allows shortening of a block listed URL but warn

              that the link is possibly abusive.
blocked indicates that the service detected and prohibited shortening of a block listed URL.

If you want to run the tests again, or against your favorite service, here are the URLs I used:

SURBL-listed domain tested: myrxrefillonline.com

URL listed on Phishtank : this was a verified phish at time of testing
http://blizzard.warcraft.info-management-review.net/securityconfirm.html

Suspended domain listed on Spamhaus DBL:pupmypzed.ru
(this domain was on DBL and did not DNS resolve at time of testing)

Spamhaus DBL (fresh spam 3/27/11): rxpillsxad11.ru
(this domain was on DBL and still DNS resolving at time of testing)

Irrespective of whether you test other services or just review the list, I encourage you to go green and use one of the services that pass at least 3 of the four checks I ran.

Some of you may ask, "Should I trust services that allow me to peek at or preview the original URL?" Previewing is a nice feature, and it's offered by SnipURL.com, TinyURL.com, YATUC.com, bit.ly, is.gd, delivr.com, and safe.mn.

Preview at least gives you the same opportunity to stop, look, connect that many email clients offer, but it's not an adequate substitute for checking URLs before shortening.

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Great post as this topic is never thought of. I use url shortening services quite often but I will take care of this often as my url might also get affected.

Thank you for the testing, it looks like I'll be using safe.mn

Usually I use URL shortener services for SMO of my links.According to me its safe but your research has created a doubt in my mind about my views.However its really a nice informative blog,I liked your research about the topic.

@snipeyhead

You are so bad...

http://snipe.net

is now

http://5z8.info/worm_o0j6al_click-on-this-and-youll-be-taken-to-page-that-will-create-pop-up-windows-until-your-browser-crashes

This is excellent advice, and very timely. I work for Symantec, and we recently released the findings of our Internet Security Threat Report, Volume 16, which found that attackers overwhelmingly leveraged the news-feed capabilities provided by popular social networking sites to mass-distribute attacks. In a typical scenario, the attacker logs into a compromised social networking account and posts a shortened URL to a malicious website in the victim’s status area. The social networking site then automatically distributes the link to news feeds of the victim’s friends, spreading the link to potentially hundreds or thousands of victims in minutes. In 2010, 65 percent of malicious links in news feeds observed by Symantec used shortened URLs. Of these, 73 percent were clicked 11 times or more, with 33 percent receiving between 11 and 50 clicks.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)