These days, you are liable to see links that are known as “Short URLs” without even realizing it. These are very helpful in situations where you are limited to a certain number of characters or a long URL does not look good, and are now often done by software and social channels automatically. This is wonderful, except that they hide where the link will take you. The bad guys know this, and use it against you in phishing attacks and other Social Engineering ploys. So how do you identify a short URL, and what can you do about it?
Short URLs are generally easy to identify as they typically point to domains such as “Bitly.com”, “goo.gl”, “ow.ly”, “tinyurl.com”, “t.co” or something similar. For example, here are links to www.madsqu1rrel.com from each of these:
- Bitly: http://bit.ly/2iAHqA7
- goo.gl: https://goo.gl/BzpCDZ
- ow.ly: http://ow.ly/Ibn9307tMnD
- TinyURL: http://tinyurl.com/hkgw5lo
Now this may not seem like it’s doing much, if anything, but the real power comes when you have a long URL and need it to be more manageable. Take for example the URL, https://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/ This links to a webpage at my employer, KnowBe4 but at 75 characters, that’s starting to get pretty long. If I use a URL shortener, this is what it would look like:
- Bitly: http://bit.ly/2crJXI3 (21 characters)
- goo.gl: goo.gl/ON5FBw (13 characters)
- ow.ly: http://ow.ly/O4iy307tNGp (24 characters)
- TinyURL: http://tinyurl.com/jbu5n38 (26 characters)
The Problem and Solution
As you can see, that is quite a difference. A side effect to this is, you can’t see where the link takes you. Make a button link a Small URL, and it is very easy to hide a malicious URL. For example, this button links to the KnowBe4 page, but how can you tell? Hovering over it just gives you the Short URL.
So what do you do? In most cases, adding a “+” sign to the end of the Short URL will take you to a preview page where you can see the full URL. There are exceptions, like TinyURL, that require you to do something different, such as add “preview.” to the beginning of the shortened URL. To get the URL to use, simply hover over the link with your mouse, right-click and choose “Copy Link Address” or a similar choice.
Here are some examples of preview links:
On a side note, goo.gl links give an entire analytics view of that Short Url. For example, check out https://goo.gl/2OA1y+ and you can see the data.
Ow.ly and t.co have proven to be a bit more difficult. In this case, using a service such as Unshorten URL or getlinkinfo.com to preview the link may be your best bet. This will also work with the other short URLs. Once you have pasted the link in to the site, you should be able to see the real website the link is taking you to. If it’s not what you expect, don’t click it!
This may seem difficult at first, but once you have done it once or twice, it’s very easy to make sure you are staying safe from hidden malicious URLs.
Erich Kron, Security Awareness Advocate at KnowBe4, is a veteran information security professional with over 20 years’ experience in the medical, aerospace manufacturing and defense fields. He is the former security manager for the 2nd Regional Cyber Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, MCITP and ITIL v3 certifications, among others. Erich has worked with information security professionals around the world to provide the tools, training and educational opportunities to succeed in InfoSec