Beware of Shortened URLs in Phishing Scams

Uniform Resource Locators—URLs to you and me—are of course nothing more than web addresses, and they’re a valuable content sharing tool. Back in the day, no one thought much of long URL links; it’s just the way things were. But today, we like our links to be neat and tidy. URL shorteners were created to solve this problem. Now, it’s not uncommon to find a “shortened URL” in place of the longer links of yesteryear. But proceed with caution when clicking a shortened URL; phishing scams can be lurking within the link.

History of the Shortened URL

Created in 2002, TinyURL was the first URL shortener. Creator Kevin Gilberston’s idea was simple: plug in a long URL, such as the Google Maps address for the Empire State Building...

https://www.google.com/maps/d/u/0/viewer?gl=US&ie=UTF8&oe=UTF8&msa=0&mid=1qqg24F8Al_Uq2Bieu9cDHur_Cas&ll=40.748492%2C-73.98569900000001&z=17

...and voila! TinyURL gives you just what it promises—a tiny URL—directing you to the exact same page (feel free to check the links!):

https://tinyurl.com/yxkt9hth

Gilbertson has stated that he wasn’t out to cash in, but simply was looking to solve a problem (such as the fact that in emails, URLs that couldn’t fit on a single line would often have an automatic break inserted into them, resulting in an error message when clicked). Little did he know, but his simple yet innovative creation was about to start a URL revolution. Soon, dozens of similar URL shortening websites began popping up.

URL shorteners really grew in popularity with the advent of Twitter in 2006. With tweets limited to a mere 140-characters (at the time), this posed a real problem when senders wanted to include a link that took up half or all of their character count. So of course, they used shortened URLs as a work-around.

TinyURL was the Twitter URL shortener of choice, until Bitly came along. Bitly recognized an opportunity to not just shorten URLs, but include analytics on the number of clicks the link received. This was a boon for marketers, and Twitter quickly switched over to Bitly links which now leads the market as the number one URL shortener (this hasn’t stopped others from getting into the game, however, such as Google’s goo.g! and YouTube’s youtu.be).

The Problem with Shortened URLs

As with any nice thing, cybercriminals eventually began to exploit URL shorteners with phishing scams.

When URL shorteners condense a link, the actual domain name of the site recipients will be directed to becomes obscured with random letters and numbers. There is nothing in those random figures to let the recipient know they’re clicking a malware link or being directed to a spoofing page where credentials can be stolen. While this would make some people hesitant to click, phishers knew the vast majority of people don’t know better, or can’t resist, so compromised shortened URLs began appearing in phishing emails and on social posts.

“We’ll have none of that!” Said URL shorteners.

So, TinyURL and others introduced a slightly longer link option that gave recipients a preview of where they were going to be directed to. The link below shows the preview page for the Empire State Building example from earlier:

https://preview.tinyurl.com/yxkt9hth

Of course, this adds an extra step that many senders don’t want to include as it can hurt their analytics. Link expansion services also popped up, such as CheckShortURL, in which recipients of a short link could plug in the shortened URL to see if it’s a valid destination or a phishing scam, but again this is a step many aren’t going to take—and phishing scam artists know it.

Protection Against Shortened URL Phishing Scams

To combat phishing scams that use shortened URLs, experts point out that people should just quit using them completely, citing the following reasons:

  • People may report a legitimate shortened link as spam, leading URL shortener sites to disable them.
  • Long URLs on Twitter no longer take up more characters than shorten URLs.
  • Most social sites provide an analytics page so you can see how many people engaged with your link whether it’s short or long.

Despite the logic of this, people will continue to shortened URLs and bad guys will continue to take advantage of this. Thankfully, there’s another way to protect yourself: anti-phishing software (like Clearedin).

Clearedin phishing protection software works in the background, assessing emails to determine whether they pose a threat. It validates emails against a social trust graph, and checks embedded links, including shortened URLs, analyzing them for malware and other phishing scams.

Let’s face it, long links aren’t pretty and they’re not always practical; Hotels.com even made a viral campaign highlighting how ridiculous they are, creating the longest URL in existence, which clocks in at 2,083 characters. Because they’re such an eyesore, URL shorteners will continue to be used and people will continue to click. To ensure your protection from phishing attacks utilizing shortened URLs, employ a service such as Clearedin. Talk to us today to learn how easy it is to get started.

New call-to-action

Top 10 Phishing Attack ...

Subscribe for updates

Get weekly updates on phishing and other web attacks