What you missed: URL-shortening services gave hackers a new entry point

For most of us, April 30 was just another day. But if you're a security expert, you may recall that it was the day that nearly 20 percent of the hundreds of millions of spam emails clogging the Web contained a URL from a link-shortening service.

And don't think users aren't tempted by those poisoned links. A single Bit.ly URL generated 352 million spam emails over three days last September, which resulted in more than 18,000 responses, according to an analysis by MessageLabs PDF, now part of Symantec. While that may seem like a poor response, by direct mail standards it's actually not too bad. And when you consider it cost the spammers almost nothing to generate that spam wave, it looks even better, says Paul Smith, a senior analyst for Symantec's Hosted Services division.

[ The Web browser is your portal to the world -- as well as the conduit that lets in many security threats. InfoWorld's expert contributors show you how to secure your Web browsers in this "Web Browser Security Deep Dive" PDF guide. ]

Those bogus emails generally send users to sites advertising services, particularly pharmaceuticals and watches. But they can also contain links to sites loaded with malware, so they represent more than just an annoyance, Smith says. In addition, they can redirect users to phishing sites that capture sensitive personal information.

With the explosion of social networking and microblogging services, URL-shortening sites have became more very popular, and many do not require users to register or complete a CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) graphical challenge-response test.

Because domains like Bit.ly and TinyURL are "trusted," their use allows spammers to evade the typical filters that would otherwise detect and quarantine the messages. What's more, shortened URLs in tweets and other places are so common that many of us click on them without thinking. Even more sophisticated users who would otherwise recognize a dubious URL don't think "malware" when seeing a shortened URL in a tweet or Facebook message. (It's worth noting that some URL-shortening services, including TinyURL, have a preview feature that when enabled shows users where the link will take them.)

The problem is becoming a greater concern for IT as more and more users bring their social networking tools and habits to work.

>> Read the next story

The top underreported tech stories of 2010:

This article, "What you missed: URL-shortening services gave hackers a new entry point," was originally published at InfoWorld.com. Get the latest insights in network security issues and trends at InfoWorld.com.

This story, "What you missed: URL-shortening services gave hackers a new entry point" was originally published by InfoWorld.

Copyright © 2010 IDG Communications, Inc.

Shop Tech Products at Amazon