TinyURL, one of the most popular URL-shortening services (although not our favorite) is now being used by cybercriminals to redirect web surfers to pages that contain viruses, trojans, and other sorts of malware. According to Finjan’s Malicious Code Research Center, these criminals are using the service to avoid having their web sites flagged by the Safe Browsing mechanisms built in to modern web browsers like Mozilla Firefox and Google Chrome.
Both web browsers employ Google Safe Browsing, a feature which warns users about phishing sites and other malware. Yet bypassing this filter within your browser is easy to do, apparently. All that’s necessary is for a cybercriminal to create a TinyURL that hides the original, malicious URL. Then, instead of getting the warning message “Reported Attack Site!”, unsuspecting web surfers will be sent directly to the dangerous web page when clicking the link.
In tests, the reason that the TinyURLs were able to be used in this way is because the pages they masked were not at the domain level, but were rather sub-pages of a domain marked as “safe.” This actually points to a weakness in the Safe Browsing feature and not really a security risk in the TinyURL service in and of itself. Because Safe Browsing only ranks sites at the domain level, infected sub-pages will always be ranked as “non-malicious” as long as the domain is categorized as “safe.”
TinyURL isn’t the only service being abused in this way. Other URL-shortening services mentioned in the article include bit.ly, w3t.org and is.gd. However, during their research, the firm also found bit.ly being used by the same cybercriminals. Both TinyURL and bit.ly were notified and the malicious links were removed.
