URL-shortening scams have been around for a while, but it looks like spammers are taking it to a new level. Apparently, there is now a "spam gang" that has at least 80 public URL-shortening sites available for anyone to use.
This new tactic was mentioned in Symantec's October 2011 Symantec Intelligence Report. According to a post at CBR:
The company said that during 2010, 92% of spam emails contained URLs and the use of shortened links makes it harder for traditional anti-spam countermeasures to block the messages based on fingerprinting the URL. . . . Spammers are preying on the knowledge that many people are familiar with shortened links through their use in social media, and have developed a false sense of security about them, said Symantec.
If you've read my blog before, you know that I'm not a fan of URL-shortening sites. I don't like that you can't easily check the legitimacy of the link. But they have become ubiquitous in social media, so it is with no great surprise that spammers have decided to exploit the increasing use of the URLs. And perhaps it is also no great surprise that anti-spam tools aren't very good at catching the spam URLs. As Bradley Anstis, VP of technical strategy at M86 Security, told me in an email:
A lot of the traditional anti-spam engines were developed before Twitter, so they are not geared up to recognize embedded URLs as seen in blended email threats in spam, let alone shortened URLs that link to malicious, or compromised webpages. The evidence that spammers have developed their own URL shortening service is yet another example of cybercriminals adopting new technology and using this to bypass traditional security measures.
So far, it appears that these public spam URL-shorteners are primarily used by spammers to send out links to spam sites. Symantec thinks the reason these sites are public right now is because the spammers are lazy or maybe they want the sites to appear legitimate.
If an employee should stumble upon one of these public spam URL-shortening sites and use it for legitimate correspondence, the correspondence could be flagged as spam and could block your message from getting through to your customers.