Symantec Finds Spammers Abuse Faith in URL Shortening Services

 
 
By Brian Prince  |  Posted 2009-07-08 Email Print this article Print
 
 
 
 
 
 
 

Research by Symantec MessageLabs shows the amount of spam that contains links masked via URL shortening services has jumped dramatically in the past few days. While services like TinyURL and Cligs are popular for legitimate users, people should treat shortened URLs with at least as much caution as other links, security researchers say.

It's no secret that the growth of Twitter and other social media sites has made URL shortening services a welcomed fact of life for many users. Unfortunately, it seems spammers have now taken notice, and are working shortened URLs into their schemes.

According to Symantec, there has been a significant increase in the amount of spam using links concealed with URL shortening services. During the past three days, the amount of spam containing short URLs has gone up from virtually nothing to 2.23 percent of all spam. Though that figure sounds small, based on Symantec's statistics on global spam volume it could equal more than 3.5 billion spam messages per day.

"We've been monitoring the use of short URLs in regular e-mail spam for the past few months and noticed that it had been used in small spam campaigns," said Matt Sergeant, senior anti-spam technologist at MessageLabs, now a part of Symantec. "However, in the middle of last week, we saw it increase exponentially ... to over 2 percent of total spam today."

Security researchers have warned users to be extra-skeptical of shortened URLs because they mask the true URL and there is generally no way to see the destination the URL points to. One solution to the problem is the Firefox add-on called LongURL, which users can utilize to see where short URLs actually go.

URL shortening services have become particularly popular among users of Twitter and social networking sites such as Facebook. One of them, Cligs, was hit with an attack in June that redirected some 2.2 million URLs to a blog post. While in that case the impact of the attack was minimal, users could just as easily have been led to a malicious site.

In fact, Sophos reported a phishing attack on Twitter that did exactly that, redirecting victims to a phishing site that asked them for their name and password.

According to Sergeant, the spike in spammers abusing URL shortening services is tied to the Donbot botnet, and indicates that the botnet operator has found a way to automate the creation of short URL links either within the botnet code or in the templates being sent out. Since URL shortening services don't require the creation of an account-something that would force spammers to crack a CAPTCHA-it's easier to automate the process, he said.

"[Donbot] is not one of the biggest botnets out there, but it sends a high volume of malicious content and is responsible for about 5 million spam e-mails," Sergeant said. "The nodes or infected computers are placed all over the globe, so despite being fairly small, it sends a large volume. It's an efficient botnet for sending spam and is used for the typical type of spam we see every day from weight loss to male enhancement."

Though URL shortening services typically have filters in place, the filters are normally retroactive, making the problem difficult to manage, Sergeant said.

"There's really not much they can do other than take down the link once they've determined it to be spam," he said. "Users need to be wary of what they click on and only trust e-mails with links that you are expecting to receive."

 
 
 
 
 
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel