The perils of short links

How URL shorteners work, how they can be used, and the privacy and security threats they pose.

Privacy and security threats of short links

Short links are everywhere these days. All these bit.ly, ow.ly, t.co, t.me, tinyurl.com and the like have long since become a familiar part of the online landscape. So familiar, in fact, that most users click on them without thinking twice. But thinking is never a bad thing. With that in mind, we explain below how short links work and what privacy and security threats they can pose.

What happens when you click on a short link?

When you click on a short link, you almost go straight to the intended destination, which is the address specified by the user who created the link. Almost, but not quite: the actual route takes a quick detour via the URL shortener service.

The more efficient the service, the quicker this takes, and the smoother the transition to the end stop. Of course, the delay feels insignificant only to a person — we humans are rather slow. But for an electronic system, it’s more than long enough to get up to all kinds of activity, which we’ll discuss below.

Why short links? The main reason is one of space: making a long link shorter means it takes up less of the screen (think mobile devices) and doesn’t eat up the character limit (think social media posts). Alas, that’s not all there is to it. The creators of short links may be pursuing their own goals, not necessarily driven by concern for users. Let’s talk about them.

Short links and user tracking

Have you ever wondered why many internet links are so long and unsightly? It’s usually because links encode all kinds of parameters for tracking click-throughs, so-called UTM tags.

Usually, these tags are deployed to determine where the user clicked on the link, and thus to evaluate the effectiveness of ad campaigns, placement on blogger pages, and so on. This is not done in the name of user convenience, of course, but for digital marketing.

In most cases, this is a fairly harmless form of tracking that doesn’t necessarily collect data from link clickers: often marketers are just interested in the source of traffic. But since this additional “packaging” doesn’t look very aesthetic, and often makes the URL insanely long, shortener services are often brought into play.

What’s more unpleasant from a privacy point of view is that URL shorteners don’t limit themselves to redirecting users to the destination address. They also tend to harvest a host of statistics about the link clickers — so your data ends up in the hands not only of the creator of the short link through embedded UTM tags, but also of the owners of the URL shortener. Of course, this is the internet, and everyone collects some kind of statistics, but using a short link introduces another intermediary that holds data on you.

Disguised malicious links

Besides violating your privacy, short links can threaten the security of your devices and data. As we never tire of repeating: always carefully check links before clicking on them. But with short links, a problem arises: you never know for sure where it is you’ll be taken.

If cybercriminals use short links, the advice to check them becomes meaningless: you can only find out where a link points after clicking. And by then it may be too late — if the attackers exploit a zero-click vulnerability in the browser, the infection can occur as soon as you land on the malicious site.

Short links and dynamic redirects

Cybercriminals can also use link-shortening tools to change the target address as the need arises. Suppose that some attackers bought a database of millions of email addresses and used it to send out phishing messages with some kind of link. But here’s the problem (for the attackers): the phishing site they created was quickly discovered and blocked. Rehosting it at a different address is not an issue, but then they would have to resend all the phishing mailshots.

The solution (again, for the attackers) is to use a “shimming” service, which makes it possible to quickly change the URL users will visit. And the role of “shims” here can be played by URL shorteners, including ones originally created with dubious intentions in mind.

With this approach, a link to the shimming service is added to the phishing email, which redirects victims to the phishers’ site at their currently active address. Often, multiple redirects are used to further muddy the trail. And if the destination phishing site gets blocked, the cybercriminals simply host it at a new address, change the link in the shim, and the attack continues.

Man-in-the-middle attacks

Some link-shortening tools, such as Sniply, offer users more than just shorter links. They allow tracking the actions of link clickers on the actual destination site, which is effectively a man-in-the-middle attack: traffic passes through an intermediate service node that monitors all data exchanged between the user and the destination site. Thus, the URL shortener can intercept anything it wants: entered credentials, social network messages, and so on.

Personal spying

In most cases, short links intended for mass use are placed in social network posts or on web pages. But additional risks arise if one was sent to you personally — in a messenger or an email to your personal or work address. Using such links, an attacker who already has some information about you can redirect you to a phishing site where your personal data is pre-filled. For example, to a copy of a banking site with a valid username and a request to enter your password, or to the “payment gateway” of some service with your bank card number pre-filled, asking you to enter a security code.

What’s more, such links can be used for doxing and other types of tracking, especially if the URL shortener service offers advanced functionality. For instance, our recent post about protecting privacy in Twitch looked in detail at ways to de-anonymize streamers and how to counter them.

How to stay protected

What to do about it? We could advise never to click on short links, but, in the vast majority of cases, URL shorteners are used for legitimate purposes, and short links have become so common that total avoidance isn’t really an option. That said, we do recommend that you pay special attention to short links sent to you in direct messages and emails. You can inspect such links before clicking by copying and pasting them into a tool for checking short links, such as GetLinkInfo or UnshortenIt.

However, there is a simpler method: a high-quality security solution with an integrated approach that takes care of security and privacy at the same time. For example, our Kaspersky Premium has a Private Browsing component that blocks most known online trackers and thus prevents your online activities from being monitored.

Our products also offer protection against online fraud and phishing, so rest assured that Kaspersky Premium will warn you in good time before landing on a dangerous site — even if the link was shortened. And, of course, the antivirus will guard against any attempts to infect your devices — including ones exploiting as-yet-unknown vulnerabilities.

Tips