by Paul Wood

For some time Symantec has been warning social networking users to beware of shortened URLs as sometimes it can be hard to see where the link will actually lead.

MessageLabs Intelligence Senior Analyst, Symantec Hosted Services
Paul Wood

Spammers have been taking advantage of shortened URLs, and during a three-month period in 2010, Symantec found that two-thirds of malicious links in social networking news feeds used shortened URLs. Seventy-three per cent were clicked 11 times or more, with 33 per cent receiving between 11 and 50 clicks. Only 12 per cent didn’t receive any clicks.

Now Symantec is seeing a new trend and it’s a new way spammers are trying to get victims to click on links in e-mails.

The October 2011 Symantec Intelligence Report highlights that spammers have created genuine URL shortening service sites that are not only capable of generating real shortened links, but they’re also easily accessible and available to the public so anyone can create a shortened URL on the site.

In the past, spammers leveraged legitimate URL shortening sites to create shortened links that would hide malicious sites. It’s possible these legitimate sites have improved their spam detection and malicious URL identification processes, forcing spammers to find another way of shortening URLs.

 

Example landing page of spammers’ URL shortening Web site

[October 2011 Symantec Intelligence Report]

So far, these shortened spam links have only been found in e-mails. Since the spam URLs are hidden behind shortened links, e-mail spam filters have difficulty detecting them, and that can put users at risk. By using a combination of blank and personable subject lines that read, “It’s a long time since I saw you last!” spammers attempt to trick users to click on malicious links.

 

Example of a spam e-mail containing spammers’ own URL shortened link

 [October 2011 Symantec Intelligence Report]

So far, Symantec has identified a spam gang of 136 URL shortening sites. While it’s not clear why these sites are made publicly available, it could be simply due to laziness on the spammers’ part, or perhaps an attempt to make the site seem more legitimate. As spammers continue their efforts to hide malicious sites and fool victims, Symantec expects them to continue abusing URL shortening services and finding sophisticated ways to carry out attacks.

Paul Wood, is a senior intelligence analyst at Symantec.cloud

Share on LinkedIn Share with Google+