URL Shortening Service Cligs Hacked

Published: 2009-06-16
Last Updated: 2009-06-16 18:54:58 UTC
by John Bambenek (Version: 1)
2 comment(s)

A post over at Cligs talks about an intrusion with their URL shortening service.  In essence, an malicious individual got in and edited all the destination URLs to point to freedomblogging.com, likely for nefarious purposes. This exposes two problems with URL shortening services.

1) Previously, malware domains tend to be easy to spot. The URLs tend to be less and less sensical as it is difficult to get a domain name that looks close enough to a legit site.  However, with URL shortening you are using a well-known and "safe" domain.  There is generally no way (for most services at least) to see the destination URL that a shortened URL points to.  For twitter and facebook, URL shortening services are common and no one thinks twice of them.  E-mail has become a less reliable means for phishing because of the anti-spam services involved. With URL shortening, it becomes easier because it "looks legit". It's little more than an accepted form of obfuscation.

2) Most URL shortening services are not highly financed (nor do they need to be). If a URL shortening service was penetrated, it would be easy to take a popular shortened URL and modify it to point to malware instead the intended "clean" site.  This is what happened with Cligs.

The bad news: We are behind the curve on dealing with this threat.

The good news: Some simple steps could be used to help prevent this.  "Blocklisting" malicious domains from URL shortening, deactivating known malicious shortened URLs and more real/near-time monitoring of what URLs get shortened to shorten the detection cycle.

--
John Bambenek
bambenek /at/ gmail /dot/ com

 

 

2 comment(s)

Comments

that's what they get for allowing people to edit the URL's after they've been entered into the system. last i checked, tinyURL doesn't allow editing.
You should always preview the domain before accessing it. TinyURL supports it (go to preview.tinyurl.com instead) and for the others you can verify at:

http://sucuri.net/?page=tools&title=check-url

It will retrieve the real url and check against google safe browsing and Site advisor.

Diary Archives