SHORTENED URLS: FRIEND OR FOE?
Posted by Dennis Dillman—Chief Operating Officer of PhishLine • 2/7/2017
Many of us enter the New Year with resolutions to improve our lives. Most of us might agree that we would like to save time and make life easier. The IT equivalent of this type of resolution could be the “shortened URL.”
Developed in response to ever lengthening URLs, shortened URLs became prevalent via Google’s goo.gl, bitly, TinyURL.com, and a plethora of other organizations. Popular benefits to the shorter URLs are that they can be branded for faster recognition, optimized for devices, and used for social marketing efforts.
However, the bad guys are effectively hiding behind the curtain of the shortened URL. Users are unable to scroll over shortened URLs to determine where they actually direct to. The shortened URL offers no clues about the actual destination of the link. Because shortened URLs are prevalent on social media, most users are familiar with them and inherently trust them. This opens the door to real risk for your data security efforts.
Added to the human factor, shortened malicious URLs are often able to circumvent security controls. Many of the shortening domains used by black hat actors are also used by legitimate organizations, so they tend to be trusted by traditional blocking methods. Like passwords, longer URLs may be better when it comes to privacy expectations. In April, Wired Magazine published an article about Cornell Tech researchers’ ability to crack Microsoft and Google’s Shortened URLs to gain access to private data. Symantec offers a concise explanation of the dangers of URL shortening in their Threat Activity Trends article, Malicious Shortened URLs on Social Networking sites.
Offering high-level testing and training about shortened URLs is a good way to combat the danger. PhishLine’s Tiny Domains and URL Shortener allow you to:
- Control the domains you use and enable the URL shortener on a case-by-case basis.
- Increase the engagement rate for non-traditional portable media campaigns, such as print campaigns. If you are asking your user to type in a URL, a shorter one is much easier.
- Test the hypothesis that your users are more likely to click on shorter links in a campaign versus longer, allowing you to develop training appropriate to them.
Contact us to learn how we can help you test and educate your users about the malicious sites hiding behind the shortened URL curtain.