Two words, URL Shorteners. We’ve all seen them and probably used them ourselves, mainly because of character limitations with postings in online services like twitter, but also just to hide a buried deep/complex URL to make it more user friendly to look at it.
Herein lies the double-edged sword. What can be used to obfuscate secure or long URLs pointed to legitimate sites can also be used to conceal addresses to sites meant to do harm. This is no new revelation. The potential security issues around a shortened URL link have been discussed, argued and blogged about, since its inception. There have been well documented examples of URL short links being cracked and rewritten to redirect users to other than intended sites, where they can fall victim to phishing scams or malware attacks.
Here is just one example, of many phishing scams (DocuSign, Netflix, Amazon, etc), that involves a receipt from Apple. First let’s look at a valid receipt. It’s clean, formatted well and there are not any typos.
Also, when you mouse over the links you’ll see full URLs.
Now, let’s take a look at an image from a phishing email.
Looks pretty close at first glance, but as you inspect the message you can see both glaring and subtle differences, highlighted and circled in the image below. You’ll see typos, missing or misplaced information, saying “Invoice” instead of “Receipt” for example, and where this one says Cancel Order vs Report a Problem.
And when you mouse over the hyperlinks you’ll note that they are Short Links/URLs, instead of the full links from the valid receipt. This one was created via Twitter, Inc shortener https://t.co, but there are several other short URL providers including, but not limited to, TinyURL LLC (tinyurl.com), Bitly, Inc (bit.ly) and Google, Inc (goo.gl).
Luckily there are number of third-party browser add-ins and websites that can expand the URLs and ask if you want to continue on to the site. Here is an expanded example of the shortened link above:
The other telltale sign that is a phishing expedition (or malware link) is the sending email address. Some email readers will just show the display name, like this:
Other mail readers will also show the sending email address without having to view the contact details, which assists in determining a bogus email.
A lot of email users just don’t look at this type of information close enough before clicking on a link. With frequency of phishing (whaling) and malware attacks increasing this becomes more of an issue for consumers and businesses alike. Short URLs are not your friend and can/will be used to hide malicious intentions. Read this previous blog series about protecting your business reputation for some more background and helpful hints on how to protect yourselves.
One of the main areas, that I cannot emphasize enough, is security awareness training. You can have all the technology controls (sand-boxing, anti-malware/virus, anti-spoofing, etc.) in place to help protect your information from email-based attacks, but there will always be someone finding a way around them. At the Information Strategists, LLC we provide our customers with an extensive set of tools and training to manage and monitor their security awareness program. Contact us here for more information.
Darren Brinksneader is President and Chief Strategist of The Information Strategists. Darren has been a consultant, trainer and public speaker in the IT industry for nearly 30 years, providing expertise and solutions for both private and public sector organizations.