Spammers Abuse Short URL Services Like Twitter

MessageLabs research shows spam containing links masked via URL shortening services has jumped dramatically in the past few days

It’s no secret that the growth of Twitter and other social media sites has made URL shortening services a welcomed fact of life for many users. Unfortunately, it seems spammers have now taken notice, and are working shortened URLs into their schemes.

According to Symantec, there has been a significant increase in the amount of spam using links concealed with URL shortening services. During the past three days, the amount of spam containing short URLs has gone up from virtually nothing to 2.23 percent of all spam. Though that figure sounds small, based on Symantec’s statistics on global spam volume it could equal more than 3.5 billion spam messages per day.

“We’ve been monitoring the use of short URLs in regular email spam for the past few months and noticed that it had been used in small spam campaigns,” said Matt Sergeant, senior anti-spam technologist at MessageLabs, now a part of Symantec. “However, in the middle of last week, we saw it increase exponentially … to over 2 percent of total spam today.”

Security researchers have warned users to be extra-sceptical of shortened URLs because they mask the true URL and there is generally no way to see the destination the URL points to. One solution to the problem is the Firefox add-on called LongURL, which users can use to see where short URLs actually go.

URL shortening services have become particularly popular among users of Twitter and social networking sites such as Facebook. One of them, Cligs, was hit with an attack in June that redirected some 2.2 million URLs to a blog post. While in that case the impact of the attack was minimal, users could just as easily have been led to a malicious site.

In fact, Sophos reported a phishing attack on Twitter that did exactly that, redirecting victims to a phishing site that asked them for their name and password.

According to Sergeant, the spike in spammers abusing URL shortening services is tied to the Donbot botnet, and indicates that the botnet operator has found a way to automate the creation of short URL links either within the botnet code or in the templates being sent out. Since URL shortening services don’t require the creation of an account – something that would force spammers to crack a CAPTCHA mechanism – it’s easier to automate the process, he said.

“[Donbot] is not one of the biggest botnets out there, but it sends a high volume of malicious content and is responsible for about five million spam emails,” Sergeant said. “The nodes or infected computers are placed all over the globe, so despite being fairly small, it sends a large volume. It’s an efficient botnet for sending spam and is used for the typical type of spam we see every day from weight loss to male enhancement.”

Though URL shortening services typically have filters in place, the filters are normally retroactive, making the problem difficult to manage, Sergeant said.

“There’s really not much they can do other than take down the link once they’ve determined it to be spam,” he said. “Users need to be wary of what they click on and only trust emails with links that you are expecting to receive.”