Taking the Shortcut to Malicious Attacks
Shortened URLs have become popular in recent years as a means of conserving space in character-limited text fields, such as those used for micro-blogging. Some URLs consist of a substantial number of characters that can eat up character limits, break the flow of text, or cause distortions in how Web pages are rendered for users. URL shortening services allow people to submit a URL and receive a second, specially coded shortened URL that redirects to the original URL. When a user clicks on the shortened URL, the service will redirect the person to the submitted Web page.
Attackers are taking advantage of this type of service because it helps to hide the actual destination URL. Attackers use the shortened links, which may or may not be legitimate, to lead unwitting users to malicious websites that are designed to attack any system using a vulnerable browser.
Social networks are a security concern for organizations because they provide an effective platform for attackers to launch this type of attack. Users who see a link posted by a friend may be more likely to trust (and click on) links posted on social networking sites, with little fear of danger. Therefore, an attacker who compromises a social networking account can prey on the inherent trust of the social network connected to that account and post URLs that link to malicious websites. During a three-month observation period in 2010, two-thirds of the malicious URLs observed on social networks were shortened URLs. Currently, most malicious URLs on social networking sites lead to websites that are hosting attack toolkits.
Using malicious shortened URLs can be a very successful method of attack. Symantec measured the number of times a malicious shortened URL was clicked on to determine the success of the link. Of the shortened URLs leading to malicious websites that Symantec observed on social networking sites over a four-month period in 2010, 88 percent were clicked on at least once.
As more people join and frequent social networking sites and the sophistication of these sites grows, it is likely that more complex attacks will be perpetrated through them, including the use of malicious shortened URLs. In addition, these threats should be a concern for network administrators because many users access their social networks from work computers. Users should ensure that they monitor the security settings of their profiles on these sites as much as possible, especially because many settings are automatically set to share a wealth of potentially exploitable information. It is up to the user to restrict access to his or her social networking profile.
For further information on these and other malicious attacks, please refer to the Symantec Internet Security Threat Report, Vol. 16.