3 simple steps to foil URL shortener abuse: Internet Scambusters #465
An Internet technique to compact lengthy website addresses, called a URL shortener, is being used by scammers to fool people into visiting malicious websites.
Many users don't realize this because they don't know what a URL shortener is and how to recognize the output of one.
In this week's issue, we explain in simple terms what it is, how it works, how to spot that one has been used and how to foil the attempt to fool you.
Let's check out today's...
How to Spot and Stop a URL Shortener Scam
Unless you're a "techie," you may not know what a "URL shortener" is, but most of us -- Internet surfers, users of social networks and even emailers -- use them all the time without knowing it.
If you're a crook, the fact that we use them without knowing is very useful because it means if they can tamper with them, they can load malware onto our PCs, also without us knowing.
So, what is a URL shortener?
Well, take a look at the address bar in your Internet browser. You may have typed in the web address you're visiting yourself -- like www.scambusters.org. That's a URL -- or Uniform Resource Locator -- and it's the very precise information the Internet needs to take you to the right place.
But sometimes the URL appears in the address bar after you've clicked a link in an email or on a web page.
It tells you where you're at but oftentimes, looking at the gobbledygook that appears there, you're none the wiser.
You might recognize the first bit of the address but, likely as not, the remainder is a long jumble of meaningless letters, numbers and slashes.
Now, what happens if you want to copy and paste that link into an email, other document or a social networking site?
It looks a mess, sometimes several lines long. And, if you're using Twitter, that URL is often too long to even fit in a "tweet."
Enter the URL shortener. This is a simple, free application you'll find on several sites that reads in that long line, stores it on a computer server, and returns to you a much shorter URL that links to the full address.
You can do this yourself by visiting one of those sites -- tinyurl.com and bitly.com are two of the better known ones -- and pasting in a long address. In a second you'll have your shortened version that you can send to others.
Here's one we set up for Scambusters: http://tinyurl.com/mv8nmv (though in this case, of course, it's longer than scambusters.org!)
These days, some applications, especially those that support Twitter, automatically do the shortening for you.
It's a great space saver and super-convenience, yes?
Well, up to a point it is, but according to Symantec, the Norton Internet Security firm, scammers are using the URL shortener technique to circulate massive amounts of malware.
The attraction to the crooks is that people who receive shortened URLs can't see where they came from or where they're going to.
Just like the genuine item, the recipient of a malicious shortened URL simply clicks on the link and goes to wherever the real web page is -- in this case a page that automatically tries to infect the victim's computer.
Most recently this type of nasty link has cropped up in emails claiming to notify recipients of a canceled cash transfer, but clicking on it just leads to a malware infested page.
Most of the legitimate URL shortening services are onto the crooks and have implemented security measures to try to halt the abuse.
For instance, the tinyurl.com service offers users who are trying to shorten URLs the ability to set up a preview that will show recipients what the true address is before they go there.
So, for our earlier example, visiting http://preview.tinyurl.com/mv8nmv enables you to see our real address and visit us from that page.
Needless to say, the scammers get around these and other types of security measures by creating their own URL shortening service.
To counter these, several other websites now offer a URL lengthening service, enabling you to paste in the link you got and see exactly where it leads to.
Again, there are several of these, including knowurl.com and longurl.com (try pasting in that http://tinyurl.com/mv8nmv link there to reveal Scambusters again).
As you can see, it's turning into something of a cat and mouse game but there's no doubt that URL shortener abuse is going to be with us for some time.
Symantec blogger Nick Johnston comments on the phony bank transfer cancellation notification: "We saw hundreds of unique shortened URLs being used to link to this malware, and expect to see malware authors using this technique in the future."
Foiling this URL shortener abuse is a matter of taking three simple steps:
1. Be wary of any link that appears to be the output of a URL shortener. Basically, if the address is very short, comes to you in an email or appears on a website yet doesn't use recognizable words, it has probably been shortened.
2. If you have any doubts about the origin, copy and paste the link into one of the URL lengthening sites. For a fuller list than the ones we've provided, just initiate a web search for the words "URL lengthener."
3. Ensure your Internet security software is up-to-date. That way, if you do land on a malicious page, your software should alert you and block any attempts to upload malware.
In any case, you should always glance at the address bar when you arrive at a page via a link (rather than an address you keyed in), to make sure you know and understand exactly where you are.
And, of course, if you decide to use a URL shortener yourself to send a link to someone else, choose one of the well-known services (again you can do a search for these) and opt to generate a preview, so that those you send it to will be able to check it out for themselves.
That's all for today -- we'll see you next week.