Over the past few years there has been an explosion in the uptake of URL shortening services. Find out why these can be harmful to you or your business and what you can do to help protect yourself...
Firstly I need to state that the service providers are legitimate but more and more they are being used by people intent on stealing your information or taking you to a dodgy site. Nearly every clever phishing email I see, now uses a link that is hidden behind a 3rd party shortened address.
You've probably seen emails or links on sites that start with something like http://bit.ly or http://tiny.url as two common examples. The services basically take any URL (web address) and change them into something really short.
Here's a quick example. The full web address for this post is http://www.datalossprevention.co.uk/single-post/2016/10/22/The-curse-of-shortened-web-addresses
but using bit.ly the address is shortened to appear as http://bit.ly/2eswUG0.
These services are great if you want to take a long address and make it short, it was the boom of Titter with its 140 character limit that really promoted their use but here is why bad people are using them... They make it easy to fool you into clicking on to a site you would never dream of doing if you saw the actual destination address.
Whenever you visit a web page or receive an email that has links on it, you can hover your mouse over the text and you will see where it is going to take you. Have a look and hover over the "click here" text (if on a tablet or Smartphone, click and hold on the link and you should get a pop up asking if you would like to open a link - this will show you where it is going to).
As your mouse pointer hovers over the link, you can see that it will take you to www.datalossprevention.co.uk. This means that before you click, you have a chance at knowing where you are going to end up once you click. If you hover over http://bit.ly/2eswUG0 you will see you don't stand a chance of knowing where it is going to take you until you click...
It is also easy to fool people by making it look like you are going to go to a site but the address is something different, take a look and do a search on http://www.google.com. This is why it is important to always check before you click and why URL shortening services can be bad for your security.
What can you do?
Whether you are a business or someone just wanting to make themselves a little safer, there are several things which are relatively easy to achieve.
1.) Train your staff or yourself to check before you click.
2.) If you have received what looks like a shortened link, before clicking on it, move the mouse pointer over it and right click the link and then copy the address/shortcut. Once you have copied the link, you can us a service such as http://checkshorturl.com/ - such sites will visit the link and let you know where you will get to if you click it.
3.) If you are able to block access to shortening service sites, consider doing so. Services such as OpenDNS or ForcePoint have systems that can do this automatically.
Ignoring the pun, some of the larger shortening services do perform basic security checks on the links they create but you cannot rely on them to capture everything. If you are a business you should assess whether blocking such sites would cause more trouble than what would be fixed. There are always different approaches to help address the risk, blocking access may or may not work for you but in our other blog posts you'll find tips that may offer an alternate solution for you.
I've successfully implemented blocking and exception processes at many organisations with an immediate and obvious reduction from the risks posed by phishing style email attacks but this approach may not work for you. Look out for further blog posts where I'll show you other forms of defence that when combined will really strengthen your position whilst limiting or even making no impact to your users experience.
Remember to educate on the risks of shortened addresses, how to do simple checks such as hovering over a link or checking the address first using something like http://checkshorturl.com/.
Get in touch if you would like help in improving protection for yourself or your business.