While there is often a lot of talk about the downside of URL shorteners being that if they go down, they take your links with them, the much more obvious and real problem is that they very easily mask potentially bad sites. We’ve been seeing this more and more in both public tweets and DMs, but luckily so far most of those have just been worms meant to replicate themselves, rather than really bad viruses. But security software company Symantec released a video today to show some very bad links in action.
As you can see in the video below, clicking on just one link infected a computer a dozen or so times in seconds. Obviously, Symantec’s intention is showing this is to sell their software that helps to protect against these attacks, but the point is still a good one to make. While URL shorteners like Bit.ly have begun warning users about potentially harmful links, others don’t bother. And let’s be honest, most of us click on links from friends regardless of what URL shortener they are using.
Yesterday, Twitter was bombarded by tweets using the hashtags “beforesex,” “aftersex,” and “duringsex.” It wasn’t long before people were using those tags to send out malicious links. It’s a problem because virus makers know that any trending topic is likely to be searched for a lot, so they can just ride that wave and catch unsuspecting users who are curious to click on links.
Google’s Joshua Schachter, who started Delicious, wrote about this and the other problems with URL shorteners earlier this year.
How exactly is the URL shortener a security risk? The only risk is the Human v1.0 being stupid and ignoring the 50934873452 (approx) warnings of “DONT INSTALL STUFF, STOOPID!” scrawled across newspapers and journals and blogs and everything that isn’t a gas or liquid.
Well it’s sad to know that VCs, Entrepreneurs & Marketing Execs just don’t get security.
I’m glad to have the security & IT infrastructure knowledge I do have from 4 years of doing it as a job and racking up certifications.
Let’s address some misconceptions:
1. No, twitter doesn’t suck.
2. No, URL shorteners don’t suck.
3. No, Firefox is not immune to this.
4. No browser is immune to this so don’t blame Internet Explorer specifically.
The first thing is that you, as a user, need to recognize when something nefarious is going on. That window was clearly within Internet Explorer so you simply minimize the window, it goes away and it’s clear that was a spoofed action that wasn’t actually happening.
The second thing is that having up to date security software is key if you’re on a Windows PC. Just have it up to date and if you’re using Vista or Windows 7, have UAC (user Access Control) ENABLED to avoid viruses getting root access to your system.
Firefox, Google, Bit.ly (as noted in this article) all do their best to identify nefarious domain names & web pages early on so they can warn the end user with a notification that you’re about to enter into a site that could harm your computer. This usually doesn’t work but it’s there and not all sites are flagged correctly.
The URL shorteners can and sometimes warn the end user or kill shortened links that go to nefarious sites but it’s a spotty system and Twitter and any one else that tries to help the end user is still going off this same list that’s lcoated at http://www.stop...rg/home/badware.
That site is what most content distribution tools use to warn the user. If that site doesn’t know the site is bad then you’re on your own.
That’s why having an up to date Windows Defender, Ad-Aware, Spybot, Spyware Blaster and Symantec Antivirus is crucial to protect yourself.
It’s sad that all of the comments are blaming Twitter, URL shorteners or other parties but really it’s all about the end user.
If I disable all of my anti-virus tools and install a virus on my computer, it’s my fault, pure and simply.
One thing that’s also important to note is that companies like Symantec make millions of dollars selling software & upgrades mostly because users are afraid of getting a virus or they’re just too dumb to know not to click on something that’s going to infect their PC. It’s Symantec’s job to point fingers and try to get you in to using their software.
it’s a cat & mouse game at tne end of the day but once again, Twitter sucks and Windows Sucks and that’s what people will always say. Why should I even try?
URL shortener services are the dumbest thing ever, thanks to the second dumbest thing being the glorified RSS server Twitters 140 character limit. You don’t even have to install anything, if your browser, flash, pdf app, java app, has a vulnerability, you are infected. End of story. Thank you Twitter.
this comment hits the nail on the head
This is why I started using tweetmixx.com for my twitter–they expand short links, not just to show the “real” URL, but the headline and title. And if tweetmixx can’t expand the URL then I just pass it on by.
I see the IE Internet Explorer in the video.
How vulnerable is Firefox in that respect?
What do you think?
I never understood the URL shortener craze… I just bought my own memorable domain and make easy to remember subdomains for links I want to make.
Here you can see another Symantec effort to catch more customers during the global crisis.
Another Symantec’s marketing campaign as far as I can see
hehehe
Wise move by Symantec. But the point they have stressed on is valid. BEWARE of URL shorteners.
I will definitely keep on top of this. I have been using cli.gs through my wordpress widgets. Hopefully I am not at risk.
Sad part is that bit.ly is using a Lybian TLD for their domain name. Last time I checked, Lybia wasn’t exactly the most US friendly country in the world. Then again, most Twitter users probably couldn’t tell you what continent Lybia is on.
There is no reason that Twitter couldn’t have built in a mechanism for providing URL’s without having to use an external shortener.
It just drives me crazy that $2Mil in VC went to bit.ly which is all of about 300 lines of PHP code my 15 year old could write in one evening. In fact, my son did write his own tinyurl clone three years ago when he was 12yo, two years before bit.ly came into being.
while i agree with you that the concept behind url shortening services are extremely simple, you clearly have no understanding of why businesses gets funded/acquired/sold.
While your 12yo son may have easily written the code in one evening, i’m pretty sure he doesn’t have the resources (think servers and hiring people to maintain these servers) to store millions of these links in a db. Not to mention needing even more resources to access these links correctly/quickly, running analytics on it and a whole lot of other stuff that comes with maintaining a huge database of links.
Businesses gets funded, acquired, etc not because they are simple. It’s because they are usually the most popular one. The get funded not because of their technology but because of their user base.
p/s: most users should be able to spell Libya.
Bit.ly getting $2mil sounds about right, considering Twitter with $0.0 income is valued at $1 billion. And why can’t Twitter just shorten URLs automatically when people post tweets with URLs? Or just don’t count URLs against the 140 character limit. Just another reason I don’t like Twitter.
Maybe they don’t know what continent it’s on because Lybia sounds more like a female organ than a country.
Libya on the other hand…
I have little remorse for people who get virus and its not because I have a mac. Only that most of the time it was a “should have known better” situation. They explain to technicians that their computer mysterious crashed for no reason as opposed to it stopped working after they click on the a link titled “free nude teens”.
As our internet based social networks grow and become more diluted with unfamiliar connections, we as careful users ought to be cautious about following links from strangers. We ought to treat social networks with the same respect as we do with real-life face to face contacts in that relationships online should establish a certain level of trust between users before following questionable links from questionable contacts.
Let me put this into a hypothetical context.
You and your friend Jack123 go to your local bar. The two of you are enjoying drinks and having a casual conversation when Jill321 over hears your conversation and begin to follow you and begins inserting herself into your conversation respond @you with stuff like “you’ve got to check out this club I know called #aftersex”. After that Jill321 start heads towards the door and motions for you to following her. What do you do? Follow this complete stranger? Well in real life you would never follow that complete stranger, you would rightly hesitate and expect the worst. Is it too good to be true? Probably is. So if you wouldn’t do it in real life why do it online.
I apply this scenario often when interacting with social networks. This virtual place is not your bedroom or office, it is a bar, and everyone is listening. What you wouldn’t do or say in public you shouldn’t say or do in social networks.
This common logic goes for both social network connections and search results in general, if it looks fishy it probably is. This is the best way of protecting yourself from STD (Search Transmitted Diseases) is to only click on links from trusted sources.
This is an immature way of looking at it. First off, attacks don’t always use pr0n as the hook. Movies, music, games, and software are also popular. Second, and more importantly, attackers find complicated ways to spoof trusted individuals. Sure, blame some dupe for clicking when @sexysoundingname tweets “see my nudes http://xxxxx #aftersex #beforesex President Obama” but what about when @bestfriend tweets “check out this amazing site i found! http://xxxxx“? When you say “only click on links from trusted sources” you neglect to mention that friends can be compromised in a CSRF attack.
But additional to the fact that attackers are using better bait, they are also making strides to look more trustworthy. In this video, the “security scan” looks very clean and professional. It’s hard to blame the Average Joe for believing that this is a valid security scanner that came packaged with the computer. Especially when the victim takes the bait of something like an illegal movie download, you probably can’t blame them for thinking that they might have just clicked a virus, and that their computer caught it and is now running a scan to mitigate the damage.
Of course, we can try our best to educate the entire population about security best practices. But one of those best practices is still going to be to install a good AV. (Followed very closely by, don’t pretend you are immune to attack just because you’ve installed an AV or just because you are somewhat security-minded.)
I use url shorteners on twitter because of the character limitation. A lot of people use them to hide affiliate links, which I think is stupid, however, point being, it is what it is….as far as the above comments, yup, you are what u r….in the end it’s the users fault if they are careless opening up any kind of link.
It’s nothing to do with short links, they’re just used because it’s easier to post links on twitter. This has been happening for years, before bit.ly and others the people spreading it just had to use cleverer domains, it really wasn’t any extra effort.
Sure, url shorteners have made it easy but if anything is at fault it’s twitter for making it so easy (not that they are, but it’s more them than url shorteners).
You have to be a tit to download that software anyway.
this is a very valid and valuable post. we should be aware of what whe are clikcing in twitter because every link posted there is being masked..
There is a solution to this chaos – Readtwit.
Readtwit is taking all of the links posted by your twitter stream and turn them into an RSS feed, that way all of your links will be resolved automatically and posted into your RSS feed without having to click on shortened links.
Short urls are only a risk if you don’t use them properly. You don’t click them without verifying the destination. One of the solutions is:
http://sucuri.n...title=check-url
It shows the real URL, plus it will test it against google safe browsing, site advisor, letting you know if the URL is safe or not to visit.
“Our fears always outnumber our dangers.” ~ Ancient Romans.
This Post Comment form offers a shortened URL. Hilarious!
i use twitter on a mac. am i also in danger?
If you’re stupid enough to click run/save on a program like that then you shouldn’t be on the internet…