URL shortener services, whether web-submission forms or embedded capabilities in blogs and Twitter, are a blessing because they take a long hyperlink and make it smaller and convenient for messaging service with character limits. They are a bane because the shortened URL obfuscates the original URL. Shortened URLs as useful to phishers or spammers as they are to tweeters, bloggers, and email users, because:
- the shortened URL conceals the original, spammy/phishy URL from users (this is the same effect that spammers and phishers hope to achieve by embedding URLs in HTML email)
- users may believe that their shortener service is trustworthy, or
- that all services take measures to prevent a spam or phish URL from being shortened.
The sad reality is that popular URL shortener services come up short when it comes to generating "safe" short URLs.
Safetly Testing Shortened URLs
In March 2011, I ran a greatly simplified set of checks based on the testing reported by StopTheHacker in February 2010. First, I went to SURBL and grabbed the list of services that claimed to use SURBL block lists. Some of these were sign up sites, so I chose additional URL shortener services from lists enumerating the most popular services [1, 2] to get to a nice round 11 (a baker's ten?). I then identified 4 malicious URLs from SURBL, PhishTank, and Spamhaus and tried to shorten these 4 URLs using each of the 11 services.
The results are summarized in the table below. You'll note that some services claim to use SURBL but did not block the SURBL URL. These services may have changed their practice and did not inform the SURBL team or perhaps that they cache block lists rather than perform checks each time they shorten a URL. You'll also note that some services block fresh Spamhaus spam URLs but not suspended domains. It's possible that some services will convert a correctly formed URL without checking if the domain is spammy/phishy or even if the domain name resolves. Since "allowed" is not a desirable result, I didn't pursue this further.
Service | Uses SURBL | SURBL-listed Domain |
URL listed on Phishtank |
Suspended Domain on Spamhaus DBL |
Spamhaus DBL (fresh spam ) |
bit.ly | YES |
allowed | allowed | allowed | allowed |
cli.gs | ? | blocked |
blocked |
blocked |
blocked |
Delivr.com | YES | blocked |
allowed | blocked |
blocked |
goo.gl | NO |
allowed |
allowed |
allowed | allowed |
is.gd | YES | blocked |
allowed | blocked |
blocked |
notlong.com | YES | blocked |
allowed | blocked |
blocked |
ow.ly | ? | allowed | blocked |
allowed | allowed |
safe.mn | YES | blocked |
blocked |
blocked |
blocked |
snipURL.com | YES | blocked |
allowed |
allowed | allowed |
TinyURL.com | YES | allowed | allowed | allowed | blocked |
x.co | NO |
allowed | allowed | allowed | allowed |
Notes:
allowed indicates that the service did not prevent the shortening of a block listed URL.
allowed indicates that the service allows shortening of a block listed URL but warn
that the link is possibly abusive.
blocked indicates that the service detected and prohibited shortening of a block listed URL.
If you want to run the tests again, or against your favorite service, here are the URLs I used:
SURBL-listed domain tested: myrxrefillonline.com
URL listed on Phishtank : this was a verified phish at time of testing
http://blizzard.warcraft.info-management-review.net/securityconfirm.html
Suspended domain listed on Spamhaus DBL:pupmypzed.ru
(this domain was on DBL and did not DNS resolve at time of testing)
Spamhaus DBL (fresh spam 3/27/11): rxpillsxad11.ru
(this domain was on DBL and still DNS resolving at time of testing)
Irrespective of whether you test other services or just review the list, I encourage you to go green and use one of the services that pass at least 3 of the four checks I ran.
Some of you may ask, "Should I trust services that allow me to peek at or preview the original URL?" Previewing is a nice feature, and it's offered by SnipURL.com, TinyURL.com, YATUC.com, bit.ly, is.gd, delivr.com, and safe.mn.
Preview at least gives you the same opportunity to stop, look, connect that many email clients offer, but it's not an adequate substitute for checking URLs before shortening.
Great post as this topic is never thought of. I use url shortening services quite often but I will take care of this often as my url might also get affected.
Posted by: jaya downloads | Friday, 09 September 2011 at 08:35 AM
Thank you for the testing, it looks like I'll be using safe.mn
Posted by: TRX | Thursday, 25 August 2011 at 03:27 PM
Usually I use URL shortener services for SMO of my links.According to me its safe but your research has created a doubt in my mind about my views.However its really a nice informative blog,I liked your research about the topic.
Posted by: Peerland Fire Alarm | Monday, 01 August 2011 at 05:33 AM
@snipeyhead
You are so bad...
http://snipe.net
is now
http://5z8.info/worm_o0j6al_click-on-this-and-youll-be-taken-to-page-that-will-create-pop-up-windows-until-your-browser-crashes
Posted by: The Security Skeptic | Tuesday, 10 May 2011 at 06:22 PM
This is excellent advice, and very timely. I work for Symantec, and we recently released the findings of our Internet Security Threat Report, Volume 16, which found that attackers overwhelmingly leveraged the news-feed capabilities provided by popular social networking sites to mass-distribute attacks. In a typical scenario, the attacker logs into a compromised social networking account and posts a shortened URL to a malicious website in the victim’s status area. The social networking site then automatically distributes the link to news feeds of the victim’s friends, spreading the link to potentially hundreds or thousands of victims in minutes. In 2010, 65 percent of malicious links in news feeds observed by Symantec used shortened URLs. Of these, 73 percent were clicked 11 times or more, with 33 percent receiving between 11 and 50 clicks.
Posted by: Brian Modena | Tuesday, 10 May 2011 at 04:53 PM