Research by Symantec MessageLabs shows the amount of spam that contains links masked via URL shortening services has jumped dramatically in the past few days. While services like TinyURL and Cligs are popular for legitimate users, people should treat shortened URLs with at least as much caution as other links, security researchers say.
It's no secret that the growth of Twitter and other social
media sites has made URL shortening services a welcomed fact of life for many
users. Unfortunately, it seems spammers have now taken notice, and are working
shortened URLs into their schemes.
According to Symantec,
there has been a significant increase
in the amount of spam using links concealed with URL shortening services.
During the past three days, the amount of spam containing short URLs has gone
up from virtually nothing to 2.23 percent of all spam. Though that figure
sounds small, based on Symantec's statistics on global spam volume it could
equal more than 3.5 billion spam messages per day.
"We've been monitoring the use of short URLs in regular
e-mail spam for the past few months and noticed that it had been used in small
spam campaigns," said Matt Sergeant, senior anti-spam technologist at
MessageLabs, now a part of Symantec. "However, in the middle of last week,
we saw it increase exponentially ... to over 2 percent of total spam today."
Security researchers have warned users to be extra-skeptical
of shortened URLs because they mask the true URL and there is generally no way
to see the destination the URL points to. One solution to the problem is the
Firefox add-on called LongURL,
which users can utilize to see where short URLs
URL shortening services have become particularly popular
among users of Twitter and social networking sites such as Facebook. One of
them, Cligs, was hit with an attack in June that redirected some 2.2 million
to a blog post. While in that case the impact of the attack was minimal,
users could just as easily have been led to a malicious site.
In fact, Sophos reported a phishing attack on Twitter
did exactly that, redirecting victims to a phishing site that asked them for
their name and password.
According to Sergeant, the spike in spammers abusing URL
shortening services is tied to the Donbot botnet, and indicates that the botnet
operator has found a way to automate the creation of short URL links either
within the botnet code or in the templates being sent out. Since URL shortening
services don't require the creation of an account-something that would force
spammers to crack a CAPTCHA-it's easier to automate the process, he said.
"[Donbot] is not one of the biggest botnets out there,
but it sends a high volume of malicious content and is responsible for about 5
million spam e-mails," Sergeant said. "The nodes or infected
computers are placed all over the globe, so despite being fairly small, it
sends a large volume. It's an efficient botnet for sending spam and is used for
the typical type of spam we see every day from weight loss to male enhancement."
Though URL shortening services typically have filters in
place, the filters are normally retroactive, making the problem difficult to
manage, Sergeant said.
"There's really not much they can do other than take
down the link once they've determined it to be spam," he said. "Users
need to be wary of what they click on and only trust e-mails with links that
you are expecting to receive."