How Short Links Can Be Abused
One of the best ways that malware developers can use to distribute malicious software is with links. We see links everywhere throughout our time on the Internet, either on websites or on our social media feeds. All sorts of files are distributed as links on a daily basis, so malware distributors aim to get their malware out there by “hijacking” our tendencies to click links so they can direct us to harmful files and websites. There’s a problem, however; you can’t really spread a link around if the URL itself clearly shows it’s a potentially malicious file. You can claim it’s a picture or a website all you like, but if people can see that the URL leads to an .exe file, no one is going to click it! The trick, therefore, is to slip the URLs under the radar. Attackers try several things, from posting the link in a busy environment and catching those who don’t pay attention, to hacking accounts and sending links to friends in the hopes it will be automatically trusted, to even spoofing the URL so it shows something different than what it actually leads to. Shortened links, however, makes their job much easier, as it hides the true nature of what’s behind the link.
The Dangers of Shortened Links
For an example, let’s take an innocent target – Google. Here is the URL for the website: https://www.google.com This is what the Google logo looks like when hotlinked: https://www.google.com/images/branding/googlelogo/1x/googlelogo_color_272x92dp.png You can see the difference clearly, can’t you? One is a website, and the other is an image file. You’d know exactly where you’re going and what you’ll see when you click these links just from reading the URL alone. But what happens when we pass them both through Bit.ly and then compare the results? Can we tell the difference then? Let’s see: http://bit.ly/1dNVPAW is linked to https://www.google.com http://bit.ly/1JcI49O is linked to https://www.google.com/images/branding/googlelogo/1x/googlelogo_color_272x92dp.png Not much difference, is there? The only thing that changes is the scramble of letters and numbers after the “bit.ly” domain. We can’t see file extensions or even a hint of where the link goes. Now we can’t tell from reading the actual links which one goes to Google and which goes to its logo. Even worse, if we didn’t know beforehand that these bitly links went to Google and its logo, we wouldn’t know where they’d go whatsoever. This is exactly what the attackers can exploit to distribute their malicious website or code. They can show a shortened link and claim it’s a funny video or a shocking news article, and nobody would be able to tell from looking at the URL alone that it actually leads to a malicious file or website.
How to Spot Them
So there are shortened links being spread where you can’t validate if they go to a legitimate website, and you’re having trouble wondering if you should click them or not. Are there any ways you can check the link without clicking on it to make sure it’s innocent? Thankfully, there are a few web services out there built to help combat this method of attack. Here are some examples.
CheckShortURL is a great tool that covers many link shorteners currently in use. Feed it a shortened link, and CheckShortURL will analyse it and let you know what website it goes to. It allows you to view a snapshot of the website to check its legitimacy, and if you’re unsure if it’s safe or not, it comes with links to automatically search for the website on security advisory services such as Web of Trust.
GetLinkInfo is good if you want to see what exactly the link does when redirecting you. Shortened links work by redirecting users who visit the short link to where it’s been told to go to. GetLinkInfo scans the jumps the redirect makes, so you can make sure you’re going somewhere safe when you click the link. It also tells you how safe it is to visit using Google’s safe browsing advisories. Alternatively, some link shortener companies know the value of allowing users to peek behind the curtain. They sometimes give you a special method to check the links generated by their website, so you don’t have to take a risk. For example, did you know that if you add a “+” to the end of a bitly link, it takes you to a preview site where you can check the destination before visiting it? You can try it on the example links above, like this: http://bit.ly/1dNVPAW+.
No Longer the Weakest Link
With shortened links being used for malware distribution, it’s a good idea to be cautious when clicking unknown links from total strangers. Now you know how the shortened link attack works and how to check a link to see if it’s valid. Have you ever been caught off-guard by a shortened link? Or do you treat them all with suspicion? Let us know below.