TinyURL: the Tiny Terror

The Register today ran a story about the phishing attack spread by the Google Talk instant messaging system, which uses TinyURL to conceal the real name of the link. John Leyden’s story (quoting Graham Cluley at some length) makes several good points about reducing your exposure to the threat, and Graham’s blog makes some more.

This is yet another case of a good idea being misused for evil purpose: TinyURL offers you a way to avoid mailing long URLs that cause irritation by getting broken in transit, so that the recipient has to do some cut and pasting in order to get it into their browser. However, it’s obviously possible to make it harder to see what any URL really is, and that’s what happened here. Fortunately, TinyURL have done the decent thing and fixed this particular issue by blacklisting the malicious site, though obviously it wouldn’t be difficult for the gang to get round that by changing the site, for example.

This isn’t the first time that a malicious site has been camouflaged by giving it a TinyURL short name, of course, though it doesn’t seem to happen as often as you might think. That might be because there’s actually a semi-fix to the issue. On TinyURL’s front page, there’s a link to Preview Feature, which (as long as you’re willing to have cookies enabled) allows you a little extra security. If you enable Preview Feature, then click on a TinyURL, then instead of opening the target page straightaway, a page will be opened on the TinyURL site that tells you what the real target URL is and offers to take you there.

This really offers very limited extra security: it doesn’t prove that the site you eventually land on is what it says it is, and it doesn’t stop a criminal from using another site with similar name shortening functionality. Still, if you think you’re going to a particular website and realize that the real target has a name that doesn’t look right, that’s better than nothing. At the very least, it means that the bad guys have to work a bit harder to look "innocent."

Update: I just happened upon a site at http://www.surl.co.uk which offers a similar service to TinyURL’s (with some quirky additions that I’m going to have to play with :-D). sURL also takes you to a preview page, but you can’t turn it off (which seems like a very good idea to me: how about it, TinyURL?) It also adds some nice little security touches like telling you whether it’s listed in hpHosts, MDL or PhishTank. Nice.

Director of Malware Intelligence 

Author David Harley, ESET

  • Stefanie

    You can reveal the target URL on the fly by installing a Firefox extension (or a Greasemonkey script if you prefer) called LongURL Mobile Expander. When you mouseover a shortened link, a tooltip displays the target URL. You can also enter a shortened URL at longurl.org to get the information.

    Even if you have an awesome virus detector, the expander is useful in avoiding those “pranksters” who try to get you to click links that lead to gross/nauseating/creepy pictures.

    (Note: I’m not affiliated in any way with longurl.org; I’m just a user who really likes to know what she’s clicking on)

  • David Harley

    Sounds good. I must take a look at that.

  • Shawn

    I’ve been using the service is.gd (http://is.gd) written by some “sarcastic English guy” mainly because it was the shortest one I can remember from time to time. At any rate, with this particular service, simply including a (-) hyphen at the end of the shortened URL automagically takes you to a preview page. The shortURL for this page (with preview) is: http://is.gd/my5F-

Follow us

Copyright © 2017 ESET, All Rights Reserved.