Crooks are targeting social network sites such as Twitter and Facebook with aggravating attacks that might send a message that reads “Don’t Click! www.tinyurl.com/XXXXXXXX.” But a Firefox addon called LongURL can quickly reveal the real URL and foil the scam.
At the ongoing RSA security conference today, Graham Cluley of Sophos displayed examples of both malicious and prankster attacks on social networks, including a Twitter attack like that described above, and the recent “Mikeyy” worm. Many of those examples used TinyURL or another link-shortening service to hide a malicous link in a profile post or message. Twitter users in particular often make legit use of the service to save space in messages.
One option for TinyURL is to cut and paste the link in a new browser tab, and append ‘preview’ to the link, as described here. But Cluley said he instead uses the LongURL addon when he browses with Firefox, and after trying it myself, I understand why.
The tool displays the full URL in a small pop-up when you hover your mouse over a URL shortened by TinyURL or other service, neutering any attack that might depend on obfuscating a clearly unwelcome URL. It’s one of those nice, no-brainer solutions.