Network News

X My Profile
View More Activity

Spammers, Virus Writers Abusing URL Shortening Services

Purveyors of spam and malicious software are taking full advantage of URL-shortening services like and TinyURL in a bid to trick unwary users into clicking on links to dodgy and dangerous Web sites. Fortunately, with the help of a couple of tools and some common sense, most Internet users can avoid these scams altogether.

According to alerts from anti-virus vendors McAfee, Symantec and Trend Micro, the latest to abuse these services is the Koobface worm, which targets users of social networking sites like Facebook (Koobface is an anagram of Facebook) and Myspace. It's now also spreading via microblogging service Twitter. Koobface arrives as a message that urges users to click on a link to a video, which invariably leads to a site that prompts the visitor to install a missing video plug-in. The fake plug-in turns the user's system into a bot that can be used for a variety of criminal purposes, from spamming to attacking other computers and spreading the worm.

At the same time, URL shortening services appear to be fueling a massive ongoing commercial spam campaign. At his always informative blog CyberCrime & Doing Time, Gary Warner, the director for research in computer forensics at the University of Alabama at Birmingham, has the skinny on a spam run that includes links shortened by at least a dozen different URL shortening services.


Meanwhile, computer security firm Marshal8e6 writes in its July Security Threats report about rogue anti-virus purveyors using URL shortening services in conjunction with Twitter trending topics to spread their junk software.

A few weeks back, I wrote a column on several free services and tools available to help unmask shortened URLs. From that post:

TinyURL, which is among the longest-running URL shortening services, lets you automatically enable the preview of all shortened URLs. Just visit this page and click the "Enable Previews" link, and from then on TinyURLs will be converted into their longer form when you visit a Web page that features them. You must have cookies enabled in your browser for this setting to take, and you will need to set the cookie for each browser you use.

If you browse the Web with Firefox, I recommend an add-on called Long URL Please, which currently converts URLs shortened by 72 different services, including,,,,,,, and Long URL Please also works in Internet Explorer and other browsers: Simply add this bookmarklet to your bookmarks, and then click on it when you're at a page that includes shortened URLs to display the long URL.

Firefox users who are familiar with the Greasemonkey add-on may prefer the Tiny URL Decoder script (my preference), which also works with a long list of URL shortening services. is another bookmarklet approach that works across browsers.

By Brian Krebs  |  July 15, 2009; 4:00 PM ET
Categories:  Latest Warnings , Safety Tips  | Tags: koobface, url shorteners  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Patches Nine Security Flaws
Next: PC Infections Often Spread to Web Sites


My friends used to use URL shortening services to try and trick each other into viewing Artycat or getting Rickroll'd, so I learned to never click them...I'm glad these ninja skills will come in handy against malware.

Posted by: dkp01 | July 15, 2009 11:44 PM | Report abuse

Great article, as always.

I don't think it's possible for Brian to write a column that isn't extremely beneficial for any computer user. The Post should put this on the front of their web page everyday.

Posted by: chris_rollins2k3 | July 16, 2009 9:05 AM | Report abuse

Yeah Brian is good. We should all enjoy him while we can because it seems that the best people at the Post, Tom Ricks and Dan Froomkin, for example, don't last too long. Meanwhile, people that no one wants to read, like Bill Kristol, get hired. And they wonder why the paper's revenue keeps declining.

Posted by: hairguy01 | July 16, 2009 12:04 PM | Report abuse

Even if you unmask the long URL, do people really pay attention to the URL before clicking? And even if they did, how would they know that the site is malicious?

It would be nice if the tiny URL hosts would improve their security by pre-testing long URL's against databases of known malicious sites.

Since they're not likely to do so, you can use customized HOSTS files to block known hostile sites or a security toolbar like SiteAdvisor to give you some warning.

If you're a Firefox 3.0 or higher user, a better tactic is to make sure you have selected the two browser options to block known phishing and other known malicious sites. The tiny URL will not hide the fact that your browser will see the long URL once you've been redirected. At that point, if the site is a known threat, Firefox will block it.

The only disadvantage of this feature is that every few hours, your hard disk will thrash wildly for 30 seconds or so as Firefox automatically downloads the latest block list.

Your best defense, of course, is to avoid surfing the net on an administrator-level account.

Posted by: taskforceken | July 16, 2009 1:31 PM | Report abuse

I am getting more and more text spam on my iPhone. I am not on a text plan so each one costs me 20 cents. What a pain.

Posted by: Bitter_Bill | July 16, 2009 4:37 PM | Report abuse

@bitterbill -- AT&T lets you block SMS messages. You just have to sign up for a free account on their Web site. Once you've done that (setting it up requires you to receive a code via SMS from AT&T), you can go in and block SMS messages altogether, or selectively by using "allow" and "deny" lists.

Posted by: BTKrebs | July 16, 2009 4:58 PM | Report abuse

1) Great article and thanks for the Firefox link!

2) Glad that you're BTK so as to differentiate from BillKristol.

3) How is your traffic since the Security Fix and Faster Forward buttons were miniaturized?

Posted by: featheredge99 | July 16, 2009 6:31 PM | Report abuse

There's a blog posting here about using cross-site scripting and shortened URLs to really surprise someone.

Posted by: traef06 | July 17, 2009 2:51 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company