Analysis questions threat posed by URL shorteners

Kiwi service cited in February, Hurl.ws, not listed among main attack vectors

Concern over the danger of shortened URLs may be overblown, according to a report released on Wednesday by a researcher with security firm Zscaler. Further, a New Zealand-made URL shortener cited as contributing to the problem in late February appears nowhere in Zscaler's analysis

Zscaler made the announcement in the wake of news from Twitter, which recently said it has implemented a new security system to scan all URLs posted in tweets to protect users from malicious sites. Popular URL-shortening site bit.ly made a similar move in November.


See also: Kiwi URL shortener cxited in Twitter spam torrent
Zscaler argues the additional security may not be as necessary as previously thought. While Twitter and the shortened URLs used in Tweets are often blamed for leading users to malicious sites, Zscaler's Julien Sobrier found otherwise.

Sobrier did an investigation of Twitter links both before the new security scan system and after. The researcher retrieved more than 1 million URLs from the public timeline over what he termed "a couple of weeks" before they put any protections in place. Links were run through the Zscaler infrastructure to find out which links lead to malicious sites. The experiment only looked for malicious sites such as phishing sites, malware, etc, and did not include spam. A Sophos researcher cited the New Zealand-developed shortener, Hurl.ws, as being used to place malicious URLs into Twitter spam messages during a spate of Twitter account hacks in late February, after Twitter and Bitly had taken their protective measures. Hurl.ws is a service offered by Auckland-based company Bluespark. Founder John Ballinger told Computerworld he had taken action on the issue and had blocked the URLs within five minutes of the issue emerging. He says he has built a software tool to help speed that process. Zscaler's research, using data from before link scanning was introduced and before Sophos cited Hurl.ws, shows no sign of the Kiwi service. However, one commenter on the post questions the analysis, pointing out that the attacks generally used direct messages to pass the shortened links around. Using URL data from Twitter's public timeline, therefore, may not reveal the real scale of the problem. It may also not reveal the shorteners being used.

Zscaler's results reveal only 773 links led to malicious content; a mere .06 percent, according to Sobrier. Bit.ly represents 40 percent of all links, and roughly the same proportion of malicious links, according to Sobrier. Another shortening site, TinyUrl, represents only 5 percent of all URLs and 6 percent of all malicious sites.

"It does not look like bit.ly's phishing and malware protection is making it any safer than other URL shorteners," Sobrier said in a blog posting on the research.

Sobrier goes on to say the key to protecting end users is real-time scanning of both the URL and the content.

"Twitter and bit.ly can only scan the links periodically," he states. "Malicious websites try to hide their malicious content to non-users by checking the user agent or geography and by requiring a real browser which fully understands Javascript, Flash, etc. An attacker can present harmless content to the Twitter or bit.ly scanners, but harmful content to a real user."

Join the newsletter!

Error: Please check your email address.

Tags twitterhurl.wsbluespark

Show Comments
[]