Spammers have created their own services to shorten URLs (uniform resource locators) in an apparent attempt to circumvent security measures in place at well-known shortening websites, according to Symantec.
So far, some 87 URL shortening sites have been set up by spammers, said Nick Johnston, a senior software engineer at Symantec. The spammers have used an open-source URL shortening script and have not built the code themselves. The shortened links are only appearing in spam emails that advertise pharmaceutical products at sites such as “Pharmacy Express,” he said.
In May, Symantec noticed some spammers were using their own shortened URLs, but further investigation showed it was actually just a website that appeared to be a shortened URL but then redirected people to the spam websites. This is the first time the spammers have employed a real URL shortener, Symantec said in its latest intelligence report for October. Why the sites have been left public is unknown.
All of the websites that are advertised in the spam runs, which are on several different IP addresses, are hosted by a U.K. division of a hosting company, which Johnston declined to identify. The company has been notified, but many of the spam sites are still online, he said. All of the domain names were registered in Russia, he said.
Shortened URLs are a bit of a problem when they’re abused since users can’t easily tell if they are being redirected to a website that might try to infect their computer with malicious software.
The shorter URLs are necessary on sites such as Twitter, when users need the space because of the 140-character limit. To combat abuse, Twitter has introduced its own shortening service, which checks to see if the target is a potentially dangerous website and listed on security blacklists. It also changed the way the shortened links are displayed to give users a better idea of where they are going.
Other major URL shortening companies will remove malicious shortened links if it is determined the links could be harmful. Another method is to warn users they may be going to an attack site.
Johnston said it is quite easy to block the shortened links, since many follow a consistent pattern, such as 3xy.info, and seem only to be used for spam. Since the shortening services don’t appear be used legitimately, there’s “no risk of false positives by blocking them outright,” Johnston said.
The shortening technique might help a bit in getting messages past spam filters if the spammer sends out a very large run of spam with a large set of domains. But more likely that not, the technique won’t be that effective.
“You will probably accept as a spammer in less than a day all of those domains will probably be blocked, but that could be an acceptable tradeoff for them,” Johnston said.