Tiny URLs can be big security risks

If you had to choose between a short or long URL, you’d probably opt for the shorter one. After all, it’s easier to remember and takes less time to send via email or instant message, or post to a Web site or a blog. Web services such as TinyURL and Bit.ly are making it easier for users to create shorter URLs or aliases that redirect to longer URLs. Phishers, however, are finding these services useful too!

Phishers are exploiting URL-shortening utilities to conceal the identity of links to malware sites. For example, using the TinyURL tool, you can enter a long URL such as _jm_hub.uix?/mID=133797575&mConfKey=nas6&/emailAddr=john_doe@ncsu.edu/ncsu-wolfpack.html and create a shorter URL or alias like . The intent, according to the TinyURL Web site, is to avoid long URLs not working after being cut, pasted, and truncated between email systems. The shortened URL, however, adds a level of indirection and also hides the actual location of the URL. Shorter URLs make the phishing and URLs less suspicious than using the exact URL, which could be unrelated to the site the spam message appears to come from. The same is true with Trojans that use the same approach to send shortened URLs in instant messages to buddy lists. 

Beware of any email or instant message that you are not expecting or that comes from an email address or someone that they do not recognize. Do not click on any link (in an email, instant message, blog, tweet, etc.) – whether short or long – if you are unsure of the URL authenticity in the link. 

OIT Security and Compliance advises campus Internet users to use a Firefox add-in called LongURL mobile expander that will expand shortened URLs to reveal the full URL for visual validation. Users of any browser can also expand a shortened URL at LongURL before using the link.