This summer, spammers suddenly happened onto URL shortening services as a prime weapon of choice.
The popularity of URL shortening services has increased in recent years – particularly with the rapid adoption of sites like Twitter, where users have a character limit placed on their messages. There are many different URL shortening sites in operation around the globe. Most allow users to post a long URL into a field and get back a short URL within their domain name. Little in the way of security – such as Captcha puzzles – is built into such sites. This makes them a valuable tool for spammers, as they can introduce e-mail recipients or individuals on peer networking sites to predatory URLs that don't appear malicious.
"The attraction from the spammers is not only is it easy to set up in advance using a number of different services for perhaps the same long URL, that will give a number of different domains that they can then use in their spam messages, and they don't have to break any Captcha in order to do that," said Paul Wood, senior analyst at MessageLabs Intelligence.
MessageLabs started seeing slight spam use of URL shortening services in April. By late June and early July, the company saw three significant spikes in such usage. On July 9, 6.2 percent of all spam was observed using URL shortening services – 9 billion messages in one day alone.
"It's become such a problem for some of these services, particularly smaller ones who are competing in a market that is very aggressive at the moment, that we've seen a number of them actually either fold or temporarily go offline when we try to remove those links from their databases," Wood said, adding that while some URL shortening sites prove able to address the problem, others don't even realize the problem is occurring.
Another advantage for spammers using URL shortening services in spam messages is that anti-spam software may be rendered powerless against it, as it may use domain reputation as an indicator as to whether an e-mail is likely to be spam or not. URL shortening services defeat the process of looking at the domains of any hyperlinks in an e-mail and checking them against a database of known spam domains.
From their emergence, URL shortening services have been criticized for obscuring the transparency of URLs, and what's being seen here illustrates why that flaw may be problematic. Such a lack of transparency is "very attractive for a bad guy, particularly if they want to cause a drive-by attack for some malware because you don't know by holding your mouse over that link where it's going to go to," Wood said. He added that savvy Web users may use plug-ins to enable them to translate any link, see where it goes and then decide whether they want to go there or not, but installing such applications goes beyond what can be expected of a typical Web user.
One prominent question is: Why would anyone click on a URL contained in a spam e-mail anyway? Wood admits this is unlikely but points out once a spammer hacks a social networking account or creates a fake one, it's likely they'll be able to entice someone to click on a shortened, malicious link.
"The bad guys are targeting those environments by phishing for usernames and passwords so they can access legitimate accounts and then send messages to people," he said. "Or in the Twitter environment, you can create large numbers of fake profiles and on these profiles have the links just waiting, and as soon as you start following people then they're going to say, ‘Well, let's see who this person is' – particularly if it's an attractive young girl and they're following, perhaps, adolescent young males. Then they may be more inclined to say ‘Oh, look, she's got some pictures on a Web site, let's click on that and see,' without really thinking too much about what's actually going on."
So is this the death of URL shortening sites? They do serve a growing need in terms of microblogging, but at the same time clearly present a great deal of risk in that they allow cybercriminals to easily obscure malicious URLs.
Wood believes what will occur is a shakeout of the market based on ability to contend with this problem.
"As the market for these URL shortening services begins to stabilize and some of them fall by the wayside, you'll see the ones that come out on top being more proactive about this type of activity where they can quickly identify abuse," he said. "Then they will become more trustworthy services and have that as a value-add part of their service; saying it's much more difficult for spammers to abuse [them] than it is perhaps another service that may be a small operation that could be overwhelmed quickly."