Disguising Malware: Spammers Begin Experimenting with URL Shortening Services

By Bradley Anstis, director of technical strategy, Marshal8e6

Over the past few years, there has been an explosion in the use of social networking sites like Facebook and LinkedIn and the massive microblogging site Twitter — both among consumers and business users. These sites allow users to easily connect with friends, family, past colleagues, and new business prospects, which has led to their rapid adoption on the Web.

While these sites can certainly help drive business and build stronger connections with business partners, they are also ripe for exploitation by hackers and spammers. In recent weeks, there have been a number of campaigns to hit social networking sites and Twitter, but a new and troubling trend that has developed is the use of URL shortening services, like TinyURL and tr.im, used to distribute malware.

By utilizing services like these, spammers are able to trick unsuspecting users into visiting malicious or inappropriate websites by hiding the actual URL of the Web site behind the shortened URL. For example, a shortened URL of http://bit.ly/r8WGP actually redirects you to our TRACELabs home page. The point is that you actually have no idea where a link is going to take you.

There are several examples of recent URL shortening spam campaigns. One involved emails purportedly coming from friends that invite readers to play them in an online game. The URL, which links to an online gambling site instead, is hidden via a URL shortening service. If users were to click on the link in an office environment in this situation, it could put them at risk of violating Internet Use Policies, so it’s important to always be careful before you click. Yet another recent attack saw a URL shortening service itself get hacked, and as a result all of the shortened URLs changed to be redirected to a single URL as designated by the hackers.

Spammers across the board have been experimenting lately with URL shortening services, but the highest profile offenders so far have been the Donbot, Rustock and Pushdo botnets. These botnets have been experimenting mainly with low profile URL shortening services like bagofmilk.com, urlredo.com and xsm.us. When users click on the shortened URLs in their spam campaigns, they have often been finding themselves redirected to gambling sites, as mentioned above, or sites selling pharmaceutical drugs.

These types of campaigns are problematic since they provide a rather cloak-and-dagger method for spammers to reach unsuspecting victims. While many Internet users are now aware of the dangers of opening files attached to emails and a good number are wary of links in emails from senders they don't recognize, URL shortening is still a relatively new phenomenon. As new users visit sites like Twitter and Facebook, they may not be aware that they need to use caution before clicking on shortened URL links, making this an especially troublesome trend.

How can users protect themselves?
First and foremost, remaining vigilant about who is posting or emailing the link is always key. If you don't recognize the source, or are not familiar with the Twitter handle posting the link, it may be best to take a pass at visiting the hidden website. It's important to always keep in mind the reputation of the poster. Secondly, there are a number of free tools and applications out there that allow users to uncover shortened URLs to determine if the destination is the same as advertised. Two such tools include Firefox's add-on "Long URL Please," which automatically converts shortened URLs as the Web page is being loaded, and TweetDeck's URL preview function, which allows users to view the full Web address before continuing onto the site.

In addition, adding a layer of security at a company's Web and email gateway can help stop inappropriate or harmful websites from loading if a user does happen to click on a shady shortened URL link or even to block users clicking on any shortened link. There are varying levels of software and hardware tools that can be implemented to monitor traffic as it flows onto a business network, so be sure to weigh the options and choose the solution that works best for your organization.

As spammers continue to experiment with this latest technique, we'll likely see more widespread campaigns using URL shortening services crop up in the coming weeks and months. With the continued use of sites like Facebook and Twitter, it seems only a matter of time before spammers integrate this method into their usual tool belt of ways to distribute malicious and inappropriate content to as many individuals as possible.

As cyber criminals become more clever in their approaches, it's important to take the steps necessary to protect your corporate and personal IT assets. You never want to be the latest victim of a spammer's new campaign, especially as social networking sites become more important in the business world.

Bradley Anstis is the director of technical strategy at Marshal8e6, a provider of email and Web security technologies.