Why Short Links (and) URL Shorteners Can Be Dangerous

Short links offer several benefits, including brevity, memorability, and the ability to track clicks and other activity. However, the risks associated with short links are often under-discussed.

A quick search for "free URL shortener" reveals hundreds of services, many of which don't require registration. While this ease of use is convenient, it also creates opportunities for malicious actors.

Anyone can create a short link, and this anonymity can be exploited. A malicious user could create a harmful website, shorten its URL, and then distribute the shortened link, making it appear more legitimate and potentially deceiving users.

Here are a couple of examples:

Example 1: Malware Distribution

1. An attacker hosts malware at a URL like https://a-very-bad-website.org/virus.zip.
2. They use a URL shortening service to create a seemingly innocent short link, such as https://short.link/abcdef.
3. The attacker then uses an ad service to promote this short link.
4. Unsuspecting users searching for an app on their mobile device might encounter this ad and click the shortened link, potentially leading to the download and execution of the malware.

Example 2: Phishing Attacks

1. An attacker registers a domain name similar to a known bank's, for example, https://knownbankf.com (note the added "f").
2. They use a URL shortener to create a link like https://short.link/knownbank-urgent.
3. The attacker sends SMS messages with urgent or fear-inducing messages, urging recipients to click the link.
4. The shortened link masks the slightly altered domain name, increasing the chances that the victim won't notice the discrepancy.

These are just a few examples; the possibilities are numerous.

While it's impossible to completely eliminate these attacks, URL shorteners can play a crucial role in mitigating them and making it more difficult for attackers to succeed.

One essential step is requiring registration for all users. Email verification should be mandatory; no verification, no service. Unfortunately, the competitive landscape of URL shortening often incentivizes services to prioritize user acquisition over security, allowing short link creation without registration. This practice, while beneficial for the shortening service, is detrimental to internet safety.

Secondly, URL shorteners should actively scan the URLs they shorten, detecting malicious websites and actors. By proactively identifying these threats, the service can warn users against proceeding to a potentially dangerous site.

However, detecting malicious URLs can be challenging. Attackers frequently use short-lived domains, making it difficult for detection tools to keep up. By the time a domain is flagged as malicious, the attacker has often moved on to a new one. Therefore, when a user clicks a short link leading to a new or unfamiliar domain, the URL shortener should provide a warning, educating users about the inherent risks. While the domain might be legitimate, users should exercise caution.

Even with these measures, attackers can still host malicious files and websites on legitimate platforms like GitHub, cloud storage services, or web hosting providers.

URL shorteners have a responsibility to protect their users and contribute to a safer internet. It's a constant game of cat and mouse, with attackers continually seeking new vulnerabilities and URL shortening services developing countermeasures.

Tips for Users:

• Be suspicious of unexpected links, especially those accompanied by a sense of urgency.
• Exercise caution when downloading or running files from the internet. Always verify the source.
• Be wary of SMS messages containing links, especially from purported banks or credit card companies.
• If you're unsure about a website's legitimacy, examine its content and look for broken links or other inconsistencies.

A Note from the Author:

When I launched Nimbli, I made some of the same mistakes as other URL shortening services. We've since worked diligently to improve our security measures and protect our users. We offer a free service with an optional premium subscription. At Nimbli, we're committed to internet safety. If you're looking for a reliable URL shortening service, please give us a try!