Prank URL Shortening Service is Good Security Basics Reminder

Prank URL Shortening Service is Good Security Basics Reminder

Many of us use URL shortening services on a daily basis, especially when dealing with short form communication tools such as Twitter.

Of course, it pays to be vigilant when presented with a shortening service link. While it’s a useful tools to have, there have always been issues with regards your possible final destination.

If you trust the person sending you the link but that individual was compromised, you may well find yourself on the wrong end of a malware attack or phishing link.

Over the last few days, a new URL shortening service called Shrturl has gone live which allows users to create an imitation of a real site, make some changes and save it under a Shrturl address for up to 48 hours before it self-deletes.

From there, the general idea is to troll and prank friends and enemies alike.

While there doesn’t seem to be a way to edit URLs on the spoofed pages as per Lifehacker (which would be a great way to send victims to phishing sites), it is a good reminder to check and check again when landing on critical websites you use on a daily basis via shortened links.

What can you do?

There are a few ways to find out where a link leads to if you’re not entirely sure clicking is the right thing to do.

For example, with a Bit.ly URL you simply place a “+” on the end and you’ll see some basic statistics and the final destination URL.

From there you can do some Googling and see if it pops up on a blacklist or security site. Where Goo.gl URLs are concerned, you place a “.info” at the end of the address to see the stats (and, again, the final destination).

It’s worth noting that not every shortening service provides the ability to see stats and / or links, so in those cases you can use something like Long URL which will expand the shortened links and give you the information you need to make an informed decision.

For now, the Shrturl service appears to be doing the “flagged / not flagged” dance via various browser blocks related to phishing [1, 2, 3].

At time of writing, no browser appears to be blocking it for me so it’ll be interesting to see what the various browsers out there settle on.

It’s up to us to make sure we know exactly what we’re getting into when clicking a link, and using some of the stat tools and URL expanders is a good place to start.

Christopher Boyd

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.