Brown Hat Security - Weak Links: URL Shorteners

URL shortening services are a ubiquitous part of the internet now, with everyone and his brother coming up with a way to contract long addresses into something shorter and more suited for entering into a tablet or mobile phone. Unfortunately, this convenience comes at a cost, and some bad actors have found ways to use URL shorteners to your disadvantage.

A whitepaper on the subject came out today, wherein a number of researchers looked into one specific subset of URL shorteners: those used for advertising. While web ads cause enough problems on their own, these ad-driven URL directors come with a set of problems unique to their use.

First, URL shorteners hide the nature of the link that they're directing traffic to, meaning that any kind of offensive or dangerous content could be behind the shortened link. That in and of itself is reason to use caution; there are plenty of examples where URL shorteners were used to direct traffic to malware-ridden sites or potentially used for phishing.

This can be countered easily enough if you're willing to make the effort to go to a service like longurl, which checks the redirected URL and reports back what it found at the other end.

Second, the problem of 'link rot'--when a service or a server goes down and the links that had been available are no longer available--increases with redirected URLs. Using a URL shortener to share a link can fail if the link itself goes away, but it can also fail if the shortening service goes away as well--two different points of failure that can cause you to lose track of the information you were looking for.

More troubling, though, are the 'ad supported' URL redirectors that were discussed in the whitepaper linked above. These are like the regular URL shorteners, except that they pop up a mandatory advertisement and a wait time before directing you to your final destination, in an attempt to force you to watch the ad before getting the content that you wanted. Forbes.com has a 'welcome' screen along those lines.

Not only are these ad-supported redirectors hiding the final destination of links, but they also may be serving malicious advertisements. Worse still, they're an economical choice for bad actors who seek to gain new recruits for their army of bots.

The researchers found that a guaranteed number of 'impressions'--that is, users who would see the ad--could be bought for a negligible sum. One service, for instance, charged $5 for 1000 US visitors, or $1 for 1000 worldwide visitors.

The researchers also found that about a quarter of the people who followed those links were using computers with outdated software that was likely to be vulnerable to at least one common exploit, and would thus be infected if they were trying to infect them.

This makes these kinds of URL redirectors a very valuable resource for the aspiring bot herder, or for anyone else involved in the economy of compromising computers for profit.

How do you remain safe?

Be careful when following links, and use a resource like longurl if you are suspicious of a link that someone has sent you. If possible, choose to give the direct URL of the item that you are sharing to someone rather than using a redirector. Use only non-ad-supported redirectors from reputable services--Twitter's t.co, McAfee's mcaf.ee, and the venerable bit.ly are usually reliable.

As always, make sure your computer is patched and updated with the latest updates from your OS vendor, and that any programs you might use to view web-related content (flash, acrobat, etc.) are fully up-to-date.

Redirected links are a weak link in your chain of security; avoid them if you can.

Sources:

http://maggi.cc/static/assets/publications/2014_nikiforakis_maggi_rafique_joosen_kruegel_piessens_vigna_zanero/paper.pdf http://blogs.mcafee.com/mcafee-labs/short-url-services-may-hide-threats http://unweary.com/2009/04/the-security-implications-of-url-shortening-services.html http://www.securelist.com/en/analysis/204792068/The_economics_of_Botnets?print_mode=1