Shorten this Spam
Wed, Mar 31, 2010 by James Hoddinott
Terry Zink posted an article recently talking about an announcement by Twitter earlier in the month and the actions they are taking to further protect their users against phishing attacks; they state:
By routing all links submitted to Twitter through this new service, we can detect, intercept, and prevent the spread of bad links across all of Twitter. Even if a bad link is already sent out in an email notification and somebody clicks on it, we’ll be able keep that user safe.
Based on information from their support pages (here and here) it seems they will use (at least in part) Google Safe Browsing. Users will see the twt.tl shortener service appearing, and it will only be on DMs (Direct Messages) and the email notifications they generate, for now.
URL shorteners work pretty much as the name might suggest, taking a long URL (which might perhaps look ugly) and converting it to a much shorter one. With the rise of Twitter and other microblogging services, the need to save the number of precious characters used has seen an explosion of URL shortener services. In fact, there is a good chance that you came to this posting via one of these services.
As Terry points out in his post, these services have a fundamental flaw since spammers can and do use them to hide the true destination of their malicious URLs. The URL that they then post out is the shortened one and since the domains used are essentially ‘good’ some domain-based filters won’t flag these URLs as spam. His post finishes with:
Now, if only we could get all of the URL shortening services to subscribe to these reputation services.
We’d like to second that comment and call on URL shortening services to take more proactive steps to identify and reduce the volume of spammy links submitted via their services. Even though it only really targets phishing and malware sites, Google has an API for their Safe Browsing service which would be a useful starting point.
Within the Security Operations Center at Cloudmark, one of the many things we keep an eye on is potential new URL shortener services. Our system takes these shortened URLs and follows them to their lengthier original state. This allows us to treat any shortened URL as if the original URL had been posted and use the reputation of that rather than the URL shortener service.
One of the big problems here, though, is the sheer number of such services that are available; you can even run your own. To give you an idea, here are some numbers:
- Total number of shortener services discovered: 707
- Total number of shortener services seen in the past week linking to spammy websites: 275
- Total number of shortened URLs seen in the past week linking to spammy websites: 5868
(‘past week’ here refers to the 7 days leading up to 30th March 2010)
So in the past week nearly 40% of the URL shortener services that we know about were abused by spammers, and of those, each was used a little over 20 times on average. These are just the services we know about! Every day we discover more, and now also have some semi-automated systems in place to detect new services before us humans do. This helps us react to new spam attacks using shortener services much quicker.
We’d love to hear from any URL shortener service that does take abuse of their service seriously and takes proactive steps to identify and remove spammy links from their service.