Be Aware of How Malicious Scammers Game URL Shorteners
By Leila Sharma
Links get shortened for a variety of reasons, including appearance, space limitations, platform imposed limitations, ease of recall, and ease of sharing. Link shortening services can typically reduce URLs to 10-30 characters. In the shortening process, a URL receives a new domain name (e.g., nyu.edu can become bit.ly). Be mindful of the fact that the link shortening process masks the true destination URL and shortened URLs are often used by scammers to trick users into clicking malicious links. Stay safe online by checking or previewing the destination of shortened URLs before you click them.
Take Advantage of Your Web Browser’s Capabilities
One of the first things you should do to help ensure a shortened URL is what it claims to be is simply hover over the link without clicking it. The URL to which it points will appear in the bottom left of your browser window. If a link says www.amazon.com, but the address at the bottom of your browser says something else, be wary of clicking that link.
Using Link Expander Services to Check Shortened URLs
You can expand and check shortened URLs by entering them at www.checkshorturl.com. In addition to expanding the shortened URL, the site will provide information such as title, description, keywords, and author. In addition, the service will check to see if the shortened URL appears in any search engines and let you know whether or not the hidden link is safe.
Another service that you can use to expand and check URLs is unshorten.it. Once you enter the shortened URL, the results page will not only reveal the destination URL, but also display a safety rating from the Web of Trust and indicate whether the link is on any blacklists.
urlex.org is simply a URL expander. You can un-shorten multiple URLs by entering one per line in the input field.
Previewing Bitly, TinyURL, and Twitter Links
In addition to the services above, there are other simple ways to preview the destination links for links shortened with Bitly and TinyURL, two highly popular link management platforms.
To preview the destination of a Bitly URL, simply add a plus sign “+” to the end of a link. For example, the following link: bit.ly/1bhJUN8 may be previewed by modifying it as bit.ly/1bhJUN8+. The preview in this instance displays the following destination information for the shortened link:
TinyURLs can be previewed in two ways:
- If the link was created with the “preview TinyURL” option, the word “preview” will show as part of the link when you enter it at TinyURL.com.
- If you visit tinyurl.com/preview.php and click the link to enable TinyURL previews. Please note that the enable preview feature is browser-specific. For example, if you enable TinyURL previews in Google Chrome, you’ll also have to do so in other browsers if you plan to use other browsers to preview TinyURL links.
It is not necessary to preview links shortened by Twitter which use a t.co domain name and have a 23 character limit. Twitter checks links for malicious content and checks shortened URLs for safety against a list of sites which could be harmful. If a link points to possible malicious content, the following warning will display: “Warning: this link may be unsafe.”
Warnings Associated with Shortened URLs
There have been instances of hackers using random character generating software to visit shortened URLs in an attempt to access sensitive information or insert malicious content into files. (You can learn more about this vulnerability on the Wired.com website.) This not only puts the security of content at risk, but also creates the possibility that malicious content can be put into files which will then be copied to your computer. Links to cloud-based services requiring authentication to gain access to documents will safeguard documents with shortened URLs. Additionally, although this issue is not exclusive to shortened links, always be on the lookout for erroneous links that make use of difficult-to-notice spelling differences (e.g., gooogle.com) or have been created in different domains (google.xyz).