What are URL shorteners and why should you care?

December 06, 2019 | by Chris Lee | phishing, email security, URL shortening

URL shortening is a commonly used technique in which a URL can be made substantially shorter but still directs to the intended page. You simply go to a URL shortening site and plug in the long URL that you'd like to shorten, and like magic you have a nice petite URL that's much nicer to look at and include in texts, emails, etc. The list of URL shorteners is evergrowing, so it's important to be familiar with this technique.

 

For example lets say I want to share this Amazon item "Archie McPhee Tin Foil Hats for Conspiracy Cats" but this is the URL i'd have to deal with:

https://www.amazon.com/Archie-McPhee-Foil-Hats-Conspiracy/dp/B07C169XZT/ref=asc_df_B07C169XZT/?tag=hyprod-20&linkCode=df0&hvadid=241981090934&hvpos=1o2&hvnetw=g&hvrand=1444417195024070507&hvpone=&hvptwo=&hvqmt=&hvdev=c&hvdvcmdl=&hvlocint=&hvlocphy=9011683&hvtargid=pla-457215596399&psc=1

I can go to a URL shortener like bit.ly for example and paste that URL in and simply click "Shorten" and now this is the output: https://amzn.to/2Re4EN1

This link accomplishes the exact same goal and redirects to that Amazon item but is much easier to manage and share.


Unfortunately as you can imagine this technique is being used increasingly by malicious actors as to avoid their exploited sites/phishing pages from being exposed and increasing their up-time by simply redirecting unsuspecting victims there instead of directly linking to them.

 

Here are the top 10 most currently abused URL shorteners according to SURBL:

  • bit.ly
  • bit.do
  • ow.ly
  • goo.gl
  • x.co
  • rebrand.ly
  • tinyurl.com
  • t.co
  • is.gd
  • ht.ly

 

Honorable Mentions:

  • app.link
  • cutt.ly
  • clck.ru
  • soo.gd
  • we.tl
  • 1drv.ms

 

Let's take a look at some examples of shortened URL's being used for nefarious purposes. You'll notice that the "To" field is empty or includes "Undisclosed-Recipients:", if you're unfamiliar with this tactic that we're seeing more and more of, I go into detail about that in this separate blog.

 

In this example the shortened link redirects to a phishing page targeting Instagram account credentials.

 

Here we see a decently crafted phishing email and the shortened URL redirects to a Suntrust credential harvesting page.

 

And below we see another adequately crafted phishing email and the shortened URL redirects to a Spectrum credential harvesting page.

 

And Lastly we have another shortened URL that purports to be a shared Sharepoint document, but as expected it redirects to a OneDrive/Sharepoint phishing page.

 

Below are some trending phishing pages that we've been seeing, steer clear if you come across one of these. And remember, when you see multi-branded login pages like these, do not pass go, do not collect $200, these are 100% phishing. When I say multi-branded I'm referring to the options to log in with Office 365, Outlook, AOL, Yahoo, or other email. These services all have their own servers and authentication protocols, etc. and you HAVE to log into them through their respective sites, not through a centralized site like you see with these examples.

These OneDrive branded phishing pages shown below continue to be extremely popular and effective.

1.

2.

 

Here are two separate Dropbox branded phishing pages that are currently being heavily distributed.

1.

2.

 

And finally here's a newly crafted Office 365 branded phishing page to watch out for.

 

Going forward it's important to be wary of shortened URL's, hover over links before clicking as shown in the examples above and always air on the side of caution. If you see a shortened URL that seems out of place based on the context of the email, please reach out to your IT/helpdesk team and have them investigate the link in a safe sandbox environment.

It can be time consuming and inconvenient, but multifactor authentication is necessary nowadays and should be enabled whenever possible. An authenticator app is suggested as it's most secure, there are many options and it's personal preference which one(s) to use.

And as always if you or a loved one or co-worker suspect that you or they have been phished, then immediately contact your helpdesk/IT team and change that password (Everywhere that password was used as a precaution).

 

Be better protected and contact us today for a free trial of our Advanced Email Security