Back in May I wrote "Dirty URL Tricks" about the increasing risk presented by the rise of URL shortening services like Bit.ly and TinyURL, driven largely by short messaging services like Twitter. I closed the article by predicting that scammers were going to start aggressively exploiting these services as a means of masking their malicious URLs.
Judging by the dramatic spike in URL shortening service usage by spammers and phishers the following month, I'd say that the entire scamming community must be reading my blog. However, since I'm quite in tune with the number of readers I have, and I'm fairly confident that spammers number well above those single digits, I can't really back that up with figures.
But, regardless of the trigger, there is little doubt that spammers and phishers have had the inevitable epiphany, and are now very aggressively utilizing these free shortening services in an attempt to further obfuscate the malicious nature of links they are sending via email.
Consider the following graph, which illustrates the rise of URL shortening techniques in spam, courtesy of the folks at MessageLabs:
Over 90% of all email is spam. It's more critical now than ever for end users to warily consider clicking on any links they cannot practically verify prior to going to the target website. URL
Lengthening services, such as
LongURLPlease and
shortText, are emerging in an attempt to fill the need here, but the long-term fix is for users to appreciate the dangers of blindly clicking on links sent to them in email and other comm methods.