When shortened URLs began appearing regularly on Twitter and other social media sites, I was skeptical. You can’t tell what the original website is, as you can with other embedded links. Folks you friend and follow on social media aren’t exactly trusted sources. I figured that the spreading popularity and use of shortened URLs were eventually going to make a hacker’s life easier and wreak havoc on computer networks.
My cynicism appears to be justified: new malware that has been spread via Skype incorporates a shortened URL to pass the word along.
And now there is a study by Web of Trust that found URL-shortening services are often used to drive traffic to suspicious websites. Web of Trust completed an analysis of nearly 1.7 billion shortened URL links and found that 8.7 percent of websites reached via the TinyURL service and 5.0 percent of websites reached via Bit.ly received poor ratings for “trustworthiness” and “child protection.” Also, analysis comparing the top-level domain names hosting these websites showed that the URL-shortening services are often exploited to drive traffic to loosely regulated countries where as much as 90 percent of the websites are suspicious.
The safest options when it comes to shortened URLs is to copy and paste the link into a tool that lengthens the link so you can investigate whether or not the URL is for a legitimate site, or you can simply ignore the link all together. But human curiosity won’t prevent the latter option and too many people won’t take the time for the first option. What I wish is that someone would develop the software that automatically expands the link when you rest the cursor on the shortened URL, like it does with other hyperlinks.
If it hasn’t been done already, IT and security staff should consider a policy on how employees should handle shortened URLs, and stress to employees why they need to think twice before they click on a link.
Web of Trust CEO Markus Suomi said in a release:
Certainly the URL shortening services don’t intend to point people to malicious websites, but perhaps they can do more to proactively protect their services from being exploited. These companies could automatically screen for potentially compromised website destinations, or at least inform their users when caution might be warranted before clicking on the link.