URL Shortening a Safe Haven for Spammers

url“It is my ambition to say in ten sentences what others say in a whole book.” – Friedrich Nietzsche

In a world where modern technology encourages us to litter the Interwebs with memes, thoughts, new ideas, and sometimes sketchy facts, Twitter is the king of the understatement. The cost of words has become cheap, as is evidenced by the daily usage of email or your average timeline on Facebook; yet Twitter is elegant, it seems, in the way it limits us to 140 characters. It feels like a throwback to the early days of computing when memory was oppressively expensive and computer storage was extremely limited. Back then, we had to be brief, and it was a good thing. Now, however, the world seems to have lost its internal filter, and perhaps the creators of Twitter considered that when they developed their technology.

It should be no surprise to anyone that URL shortening services like bit.ly were developed to accommodate the way the modern world communicates. URLs can get long and unwieldy, and even with copy and paste, messages that were meant to unify words and spew them out as thoughts became difficult to read when three lines in a five line message were comprised of a dynamic URL that looks like it was forged in the realm of Cthulhu.

In fact, URL shortening has grown in its popularity, in no small way thanks to Twitter. Twitter’s own URL shortening service, t.co, kicks in automatically when you’re creating your latest Tweet criticizing Miley Cyrus or bemoaning yet another falsified report of a celebrity death. And while the utility of that handy feature is surely a boon to those who simply cannot form a thought in 140 characters or less, there is a tradeoff: meaning.

Yes, meaning. Some might argue that meaning is…uhm…meaningless in a world that glorifies cats and regurgitates inspirational memes that eschew spelling and grammar for a quick fix. But meaning often leads to enlightenment, and if there’s one reason URL shortening is a bad idea, it’s because we no longer understand what clicking on that link might get us.

In fact, URL shortening has become so ubiquitous, we now see a link from goog.gl, tr.im, bit.ly, or t.co, and regard is as an old friend, and that’s exactly how spammers want you to feel. The Telegraph is reporting that t.co, Twitter’s own URL shortener, is being used to spread spam, and if this surprises you, it shouldn’t, because the aforementioned non-Twitter services have been used for just that purpose for some time now.

If you thought that URL shorteners will protect you from spam, think again. “The major companies providing this service all have anti-abuse filters in place to attempt to control this sort of malicious activity. But some are doing better than others, according to security firm Cloudmark.” In fact, the URL shortening services appear to be lousy with cybercriminals just hoping theirs is the link you’ll click. “Using a sample of 1,200 t.co links reported to Cloudmark’s Global Threat Network as spam between July 22 and July 29, the company found that only 7 per cent were legitimate uses of a URL shortener.”

Only seven percent. Wow. So now we begin to see how they’re winning the war on spam. If you can exploit it, take it over. We’ve seen exactly the same methodology used in email spam, so why should this be any different? And lest you doubt how this might affect you, remember that your users aren’t nearly as well-informed and savvy as you. They’re not going to distinguish between a bit.ly link in a Twitter post and a bit.ly link in an email message. Trust is a dangerous thing when there’s no trust deserved.

According to The Telegraph, the majority of malicious links were redirects to two sites, both online pharmacies. And although the two brands were distinct, “the techniques used in their spam advertising are identical, leading to Cloudmark to conclude that this could be the work of a single spammer.” And the spammer is wily, according to one security expert. “The spammer…avoided Twitter’s anti-abuse filters by using an intermediate layer of redirection. The t.co link redirects to a URL on a compromised domain, and that in turn uses a REFRESH meta tag to redirect to the spam landing page. This dual layer of redirection seems to be fooling Twitter.”

Twitter declined comment to The Telegraph’s story, and clearly this can pose a serious threat to any network or individual who cannot distinguish a shortened URL as being spammy or malicious.