advertisement
Long Story Short: Threats Behind Shortened URLs
Short links have become an indispensable part of today’s online experience. Many Internet users click on bit.ly, ow.ly, or other links created by a URL shortener with no hesitation. However, short links can pose significant privacy and security threats that are often not considered.
They have made Internet browsing and communication in messengers easier and quicker, especially on mobile devices, improving social media sharing where the length of messages is often limited. Most people just copy and paste the automatically shortened link, and many of the popular URL shortening services allow users to customise the name of the ‘new’ web address. But herein lies the problem. Unlike traditional URLs, a shortened one does not allow a user to hover over it and see what the actual website address is. So, in most cases, you can’t be certain what is waiting for you on the other end of a shortened URL until you are there.
If cybercriminals exploit a zero-click vulnerability on the web browser, an infection can happen as soon as a user lands on the malicious website. Cybercriminals can also use link-shortening tools to change the target address as the need arises. For example, in a situation when attackers have sent out phishing messages with some kind of link, but the phishing site they created for landing was blocked, rehosting it at a different address wouldn’t be an issue if they used URL shorteners for links in their letters. Often, multiple redirects are used to further muddy the trail.
advertisement
Some link-shortening tools allow tracking the actions of link clickers on the actual destination site, which is effectively a man-in-the-middle attack: traffic passes through an intermediate service node that monitors all data exchanged between the user and the destination site. Thus, the URL shortener can potentially intercept entered credentials, social network messages, and so on. What’s more, such links can be used for doxing and other types of tracking, especially if the URL shortener service offers advanced functionality.
“The best defence against cyber threats that shortened URLs may pose is a comprehensive security solution coupled with awareness and vigilance from users. Many cybersecurity breaches result from human errors and social engineering techniques, so people should keep themselves informed while organisations should consider regular educational programmes to empower employees with the knowledge and skills needed to protect a company’s data and sensitive information from hacking, phishing, or other breaches,” says Seifallah Jedidi, Head of Consumer Channel, META, at Kaspersky.
In most cases, short links intended for mass use are placed in social network posts or on web pages. But additional risks arise if one was sent to a user personally — in a messenger or an email to a personal or work address. Using such links, an attacker who has already gathered some information about the user can redirect the potential victim to a phishing site where some personal data is pre-filled. For example, to a copy of a banking site with a valid username and a request to enter the password, or to the “payment gateway” of some service with a personal bank card number pre-filled, asking the user to enter a security code.
advertisement
Never clicking on a shortened URL is not an option given how commonplace and convenient these have become. For the most part, URL shorteners are used for legitimate purposes and are completely safe. However, since threat actors are looking to benefit from people’s trust in a service, user vigilance is important. In case a link raises suspicion, is received in a recent message, or comes from an unfamiliar e-mail or unknown contact, an easy way to inspect it can be to copy and paste it into a tool like GetLinkInfo or UnshortenIt.
Users can also opt to install a security solution for personal devices while organisations can choose a suitable answer to this problem. These types of solutions will warn a user before landing on a dangerous website – even if the link was shortened and will guard against any attempts to infect your devices — including ones exploiting as-yet-unknown vulnerabilities.