The Register today ran a story about the phishing attack spread by the Google Talk instant messaging system, which uses TinyURL to conceal the real name of the link. John Leyden’s story (quoting Graham Cluley at some length) makes several good points about reducing your exposure to the threat, and Graham’s blog makes some more.
This is yet another case of a good idea being misused for evil purpose: TinyURL offers you a way to avoid mailing long URLs that cause irritation by getting broken in transit, so that the recipient has to do some cut and pasting in order to get it into their browser. However, it’s obviously possible to make it harder to see what any URL really is, and that’s what happened here. Fortunately, TinyURL have done the decent thing and fixed this particular issue by blacklisting the malicious site, though obviously it wouldn’t be difficult for the gang to get round that by changing the site, for example.
This isn’t the first time that a malicious site has been camouflaged by giving it a TinyURL short name, of course, though it doesn’t seem to happen as often as you might think. That might be because there’s actually a semi-fix to the issue. On TinyURL’s front page, there’s a link to Preview Feature, which (as long as you’re willing to have cookies enabled) allows you a little extra security. If you enable Preview Feature, then click on a TinyURL, then instead of opening the target page straightaway, a page will be opened on the TinyURL site that tells you what the real target URL is and offers to take you there.
This really offers very limited extra security: it doesn’t prove that the site you eventually land on is what it says it is, and it doesn’t stop a criminal from using another site with similar name shortening functionality. Still, if you think you’re going to a particular website and realize that the real target has a name that doesn’t look right, that’s better than nothing. At the very least, it means that the bad guys have to work a bit harder to look "innocent."
Update: I just happened upon a site at http://www.surl.co.uk which offers a similar service to TinyURL’s (with some quirky additions that I’m going to have to play with :-D). sURL also takes you to a preview page, but you can’t turn it off (which seems like a very good idea to me: how about it, TinyURL?) It also adds some nice little security touches like telling you whether it’s listed in hpHosts, MDL or PhishTank. Nice.
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
Author David Harley, ESET