A post over at Cligs talks about an intrusion with their URL shortening service.  In essence, an malicious individual got in and edited all the destination URLs to point to freedomblogging.com, likely for nefarious purposes. This exposes two problems with URL shortening services.

1) Previously, malware domains tend to be easy to spot. The URLs tend to be less and less sensical as it is difficult to get a domain name that looks close enough to a legit site.  However, with URL shortening you are using a well-known and "safe" domain.  There is generally no way (for most services at least) to see the destination URL that a shortened URL points to.  For twitter and facebook, URL shortening services are common and no one thinks twice of them.  E-mail has become a less reliable means for phishing because of the anti-spam services involved. With URL shortening, it becomes easier because it "looks legit". It's little more than an accepted form of obfuscation.

2) Most URL shortening services are not highly financed (nor do they need to be). If a URL shortening service was penetrated, it would be easy to take a popular shortened URL and modify it to point to malware instead the intended "clean" site.  This is what happened with Cligs.

The bad news: We are behind the curve on dealing with this threat.

The good news: Some simple steps could be used to help prevent this.  "Blocklisting" malicious domains from URL shortening, deactivating known malicious shortened URLs and more real/near-time monitoring of what URLs get shortened to shorten the detection cycle.

--
John Bambenek
bambenek /at/ gmail /dot/ com