Shortened URLs Drive Need for New Security

Symantec has released the July 2010 MessageLabs Intelligence Report which contains the usual interesting and relevant facts regarding trends in spam and malware. Of particular interest in this report, though, is the fact that attacks exploiting shortened URLs have skyrocketed, and that a new approach is needed to protect against the rising threat.

Symantec's July 2010 MessageLabs Intelligence Report shows a sharp rise in attackers using shortened URLs
A Symantec spokesperson clarified the shortened URL issue in an e-mail, stating that the MessageLab report "reveals that the percentage of spam using shortened URLs has increased in the last year, from 9.3 percent to 18 percent of all spam at its peak.   The average volume of spam containing shortened URLs has also increased, with this type of spam appearing in more 0.5 percent of spam on 43 days in the past four months."

Sending URLs in email or instant messaging communications has always been problematic. Some URLs are excessively long--resulting in a bunch of gibberish in the message, and end up broken--rendering them useless for the recipient anyway unless the user wants to manually copy and paste or type in the part of the URL that got cut off.

Social networking sites--especially Twitter with its 140-character message limitation--have driven the use of URL shortening services. Services like Bit.ly and TinyURL take the long URL and replace it with a much shorter alias URL. The net result is a URL that is much less cumbersome to communicate, but that hides the real URL behind it. Attackers can take advantage of the shortened alias to link to malicious sites.

"As far as spammers are concerned, any tactics that make it harder to block their spam emails are going to be exploited," said Paul Wood, MessageLabs Intelligence Senior Analyst at Symantec Hosted Services.

Wood added "When spammers include a shortened URL in spam messages, these shortened hyperlinks contain reputable and legitimate domains, making it harder for traditional anti-spam filters to identify the messages as spam based on the reputation of the domains found in the spam emails."

One solution would be for spam filters and antimalware software to take the extra step of analyzing and validating the site behind the shortened URL. If the security software recognizes a shortened URL by its domain, such as bit.ly, it can follow the link and determine if the site it leads to is legitimate.

The downside of this approach is that it could significantly impact the amount of time it takes to open Web pages once you click on a shortened URL, as well as the time it takes to scan and process incoming e-mails or instant messages to ensure they don't contain spam or malware. Not only would it be another step for the filtering engine to go through, but the ability to process that step quickly would depend on how fast the software could actually connect to the site behind the shortened URL.

Until or unless such security measures are in place, users and IT admins simply need to be aware of the increased threat posed by shortened URLs and exercise more discretion and common sense when clicking on them.

You can follow Tony on his Facebook page, or contact him by email at tony_bradley@pcworld.com. He also tweets as @Tony_BradleyPCW.

Subscribe to the Security Watch Newsletter

Comments