URL-shortening services like bit.ly or is.gd have become all the rage with the rise of Twitter and Facebook. They're also a great way to slip someone a digital Mickey Finn: What better way to hide an attack than to not even let people know the actual URL they're clicking on?
URL shorteners generally perform no safety checking on the links they process. Also, shortened URLs tend to be passed around from user to user without much thought for whether or not they've been sanitized. Consequently, someone can pass you a direct link to malware or to an infected site, and folks with a blind click-first reflex may end up taken somewhere they don't want to go.
LongURL is a site that lets you paste in a short URL and expand it to see if you're dealing with something malicious. If copy-and-paste is too much hassle, they also provide an add-on version of the service for Firefox, which shows you the long version of the URL when you hover over a shortened link. LongURL also offers a set of APIs that can be integrated with things like jQuery, so people who integrate link-shortening tools into their own sites or programs can make use of such tools, too.
In addition, many Twitter clients -- such as TweetDeck and Mixero, to name two -- have a preview function that shows the long form of a shortened URL so that you can see what you're about to click on.
DNS servers translate raw Internet addresses (such as 18.104.22.168) into human-friendly domain names (www.myfunsite.com). With a little work, the information provided by some DNS servers can be hijacked or misdirected -- "poisoned" -- allowing an attacker to send someone to any Web site they choose.
The most common DNS poisoning attacks exploit flaws in DNS server software to allow fake name-resolution data to be sent to clients. One of the worst examples of DNS poisoning surfaced in 2008, when computer researcher Dan Kaminsky demonstrated how domains could be redirected with the then-current version of BIND, the software that most servers use to perform DNS resolution. The end result: You can hijack an entire domain -- including its subdomains, its mail servers (MX entries), its SPF records and everything else that can be stuffed into its DNS resources.
In this case, prevention is mostly up to the people running domain name services. Admins should update to the most recent version of BIND, which is much more skeptical about the data it receives and performs more thorough cross-checking to prevent poisoning.
If you have doubts about the validity of your DNS hosting, you can test it through the DNSStuff.com toolset. Its DNSreport Demo (free for regular users; the full non-demo version is for-pay) lets you check the results of DNS resolution for common domain names from your servers. If you suspect your DNS servers are dodgy or compromised, you can always use a different one by editing your TCP/IP settings or by setting your in-house router (if you use one) to resolve to another server. The Google Public DNS service might come in handy here, since Google claims its DNS is less vulnerable to poisoning.
In-house router attacks