URL shorteners represent a new threat

Services that shorten URLs have become massively popular in the Twitter era, but managing the security risks they introduce has become an increasing challenge.

Sites like






-- which convert lengthy URLs into shorter redirects -- have long been used to make complex addresses more presentable in email. However, the growth in popularity of social networking site Twitter, which imposes a 140-character limit on messages, has seen their usage skyrocket.


Whenever there's a mass change in online behaviour, hackers are rarely far behind. It's long been recognised that URL shortening services can pose a security threat, but in recent months their use as a means to distribute malware and divert Internet users to unwanted sites has massively increased.


Analysis by Symantec content and email security division MessageLabs suggests that in the last month, the Donbot botnet has been regularly exploiting shortened URLs. In one day, 10 billion messages featuring shortened URLs promoting online medication sites were distributed via Donbot, according to MessageLabs' August 2009 intelligence report.


The challenge which shortened URLs pose is that they're not readily recognisable as inappropriate links that can be excluded via a blacklist. "You've got legitimate domains being used, which makes your anti-spam systems very vulnerable," Paul Wood, senior analyst for MessageLabs, told SearchSecurity ANZ. "If you start blocking based on domain, there'll be a lot of collateral damage. For your average user, it becomes almost impossible. Even from an enterprise anti-spam perspective, having databases that are up-to-date is very difficult."

Current anti-spam systems may be able to block those messages, but analysis of the actual content of shrunk URLs isn't likely to play a major part. "In a SAAS model, we can track a lot more information, rather than just that relying on the domains," Wood said. "You can rank IP addresses and headers and use that to form an opinion. In the cloud, you have lots of traffic across a lot of different ISPs and a lot of different time zones. You can make a lot more accurate judgements of whether something is likely to be spam much earlier in the conversation."


For some URL shortening services, dealing with the fallout may be fatal in business terms. "The ongoing use of shortened-URLs as a delivery mechanism has resulted in a number of URL-shortening services being forced to close their businesses due to their inability to handle the malicious use of their tools," the MessageLabs reports notes. "With some providers, they're not scalable enough to respond quickly, and then they can go offline," Wood notes.


Some URL-shortening services allow users to view 'previews' before actually visiting a site. While that's a sensible precaution, no spammer is likely to choose one of those services, especially when new alternatives continue to appear. (It's also relatively straightforward to build a custom URL shortening service on any domain, though such an approach lacks the reputational advantage of using a well-known provider.)

In the long term, Wood predicts that the major URL shrinking providers will have to build in technology to handle unwanted and malicious links, just as email providers need to incorporate anti-spam systems. "I expect what we'll see over time is some consolidation in that sort of market, where major players will have technology in place to identify any abuse as it occurs.


And in the meantime? "From a spam perspective, people just need to be aware of the risks of clicking on links they haven't asked for. People need to be aware of the risks and potential dangers, especially in a social networking environment. "


Read more on Web application security