Shortcut to Malware and Phishing

URL shorteners are a relatively young category of Internet service. As many social services on the Internet like Twitter &  Co. have a character limitation for messages, these URL shorteners became interesting for sharing links.

For example, you’d loose 64 characters if you’d try to link to the Wikipedia article about URL shorteners directly: http://en.wikipedia.org/wiki/URL_shortening. But with an URL shortener you can cut the characters lost down to 16: http://bit.ly/c1htE.

But URL shorteners can be abused to hide the real target of a link, too. The cyber criminals appreciate this “feature” and abuse these services to hide their phishing sites, malware or affiliate links. These services usually have terms and conditions comparable to TinyURL: “TinyURL was created as a free service to make posting long URLs easier, and may only be used for actual URLs. Using it for spamming or illegal purposes is forbidden and any such use will result in the TinyURL being disabled and you may be reported to all ISPs involved and to the proper governmental agencies. This service is provided without warranty of any kind.

Nobody seems to care about these terms, considering the amount of shortened URLs we see abused in illegal activities. At least, some of these services have started filtering all shortened links through special services. Overall, we see more and more SPAM using shortened URLs, anyhow.

Starting next month, we will deliver monthly statistics with the usage of URL shorteners in malicious activities like phishing and malware distribution. Our list contains currently 22 URL shorteners, but only on some of them we see relevant traffic. So, the monthly statistic will include only some of them. However, this first time, we deliver information about all of them.

Phishing Malware
# Shortener % Shortener %
1 tinyurl.com 41.30 k.im 27.87
2 bit.ly 15.29 notlong.com 27.05
3 r2me.com 12.04 tinyurl.com 18.85
4 snipurl.com 7.16 cli.gs 7.38
5 lu.mu 6.50 bit.ly 7.38
6 doiop.com 4.52 doiop.com 4.10
7 notlong.com 3.55 ad.ag 2.46
8 is.gd 1.93 is.gd 1.64
9 tiny.cc 1.81 tr.im 0.82
10 sn.im 1.69 snipurl.com 0.82
11 k.im 0.96 ow.ly 0.82
12 shorl.com 0.66 dwarfURL.com 0.82
13 tr.im 0.60 zi.ma 0.00
14 goo.gl 0.54 u.nu 0.00
15 ow.ly 0.48 tiny.cc 0.00
16 cli.gs 0.30 sn.im 0.00
17 u.nu 0.18 shorl.com 0.00
18 moourl.com 0.18 r2me.com 0.00
19 idek.net 0.12 moourl.com 0.00
20 dwarfURL.com 0.12 lu.mu 0.00
21 zi.ma 0.06 idek.net 0.00
22 ad.ag 0.00 goo.gl 0.00

Interesting to see is that there are plenty of services available, but only very few are highly frequently used. In phishing, the main URL shortener is tinyurl.com followed by bit.ly and r2me.com. For malware, there is no clear difference between place 1,2 and 3. The most abused URL shortening service is k.im, closely followed by notlong.com and tinyurl.com.

Sorin Mustaca
Manager International Software Development