Long story short: Kaspersky uncovers threats behind shortened URLs

Short links have become an indispensable part of today’s online experience. Many Internet users click on bit.ly, ow.ly, or other links created by a URL shortener with no hesitation. However, short links can pose significant privacy and security threats that are often not considered. Kaspersky explain why it is important to remain vigilant and how people and companies can protect themselves from potential compromise.

Short links have made Internet browsing and communication in messengers easier and quicker, especially on mobile devices. They also can improve social media sharing where length of messages is often limited. Most people just copy and paste the automatically shortened link, and many of the popular URL shortening services allow users to customise the name of the ‘new’ web address. But herein lies the problem. Unlike traditional URLs, a shortened one does not allow a user to hover over it and see what the actual website address is. So, in most cases you can’t be certain what is waiting for you on the other end of a shortened URL until you are there.

If cybercriminals exploit a zero-click vulnerability on the web browser, an infection can happen as soon as a user lands on the malicious website. Cybercriminals can also use link-shortening tools to change the target address as the need arises. For example, in a situation when attackers have sent out phishing messages with some kind of link, but the phishing site they created for landing was blocked, rehosting it at a different address wouldn’t be an issue if they used URL shorteners for links in their letters. Often, multiple redirects are used to further muddy the trail.

Some link-shortening tools allow tracking the actions of link clickers on the actual destination site, which is effectively a man-in-the-middle attack: traffic passes through an intermediate service node that monitors all data exchanged between the user and the destination site. Thus, the URL shortener can potentially intercept entered credentials, social network messages, and so on. What’s more, such links can be used for doxing and other types of tracking, especially if the URL shortener service offers advanced functionality.

In most cases, short links intended for mass use are placed in social network posts or on web pages. But additional risks arise if one was sent to a user personally — in a messenger or an email to a personal or work address. Using such links, an attacker who has already gathered some information about the user can redirect the potential victim to a phishing site where some personal data is pre-filled. For example, to a copy of a banking site with a valid username and a request to enter the password, or to the “payment gateway” of some service with a personal bank card number pre-filled, asking the user to enter a security code.

Never clicking on a shortened URL is not an option given how commonplace and convenient these have become. For the most part, URL shorteners are used for legitimate purposes and are completely safe. However, since there are threat actors looking to benefit from people’s trust in a service, user’s vigilance is important. In case a link raises suspicion, is received in a resent message, comes from an unfamiliar e-mail or unknown contact, an easy way to inspect it can be to copy and paste it into a tool like GetLinkInfo or UnshortenIt. Users can also opt to install a security solution like Kaspersky Premium for personal devices while organizations can choose a suitable Kaspersky Next tier. Solutions like this will warn a user before landing on a dangerous website – even if the link was shortened, and will guard against any attempts to infect your devices — including ones exploiting as-yet-unknown vulnerabilities.

“The best defences against cyberthreats that shortened URLs may pose is a comprehensive security solution coupled with awareness and vigilance from users. Many cybersecurity breaches result from human errors and social engineering techniques, so people should keep themselves informed while organizations should consider regular educational programmes such as Kaspersky Automated Security Awareness Platform to empower employees with the knowledge and skills needed to protect a company’s data and sensitive information from hacking, phishing, or other breaches,” says Seifallah Jedidi, Head of Consumer Channel, META, at Kaspersky.