URL-shortening services gave hackers a new entry point

The No. 3 top sleeper tech story of 2010

For most of us, April 30 was just another day. But if you're a security expert, you may recall that it was the day that nearly 20 percent of the hundreds of millions of spam emails clogging the Web contained a URL from a link-shortening service.

And don't think users aren't tempted by those poisoned links. A single Bit.ly URL generated 352 million spam emails over three days last September, which resulted in more than 18,000 responses, according to an analysis by MessageLabs [PDF], now part of Symantec. While that may seem like a poor response, by direct mail standards it's actually not too bad. And when you consider it cost the spammers almost nothing to generate that spam wave, it looks even better, says Paul Wood, a senior analyst for Symantec's Hosted Services division.

[ The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]

Those bogus emails generally send users to sites advertising services, particularly pharmaceuticals and watches. But they can also contain links to sites loaded with malware, so they represent more than just an annoyance, Wood says. In addition, they can redirect users to phishing sites that capture sensitive personal information.

With the explosion of social networking and microblogging services, URL-shortening sites have became more very popular, and many do not require users to register or complete a CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) graphical challenge-response test.

Because domains like Bit.ly and TinyURL are "trusted," their use allows spammers to evade the typical filters that would otherwise detect and quarantine the messages. What's more, shortened URLs in tweets and other places are so common that many of us click on them without thinking. Even more sophisticated users who would otherwise recognize a dubious URL don't think "malware" when seeing a shortened URL in a tweet or Facebook message. (It's worth noting that some URL-shortening services, including TinyURL, have a preview feature that when enabled shows users where the link will take them.)

The problem is becoming a greater concern for IT as more and more users bring their social networking tools and habits to work.

>> Read the next story

The top underreported tech stories of 2010:

  1. Apple quietly became a key enterprise provider
  2. Server virtualization has stalled, despite the hype
  3. URL-shortening services gave hackers a new entry point
  4. The health care industry faces its risky ERP moment
  5. Deferred IT maintenance is a ticking time bomb
  6. Energy-efficient Ethernet has arrived, with real savings
  7. A major Internet security hole was finally plugged
  8. Social media messaging is getting around traditional firewalls
  9. Businesses are resisting the XBRL mandate

This article, "What you missed: URL-shortening services gave hackers a new entry point," was originally published at InfoWorld.com. Get the latest insights in network security issues and trends at InfoWorld.com.


Copyright © 2010 IDG Communications, Inc.