The 140 character limit in Twitter combined with its incredible success has been welcomed by phishers, spammers, Trojan and virus developers and other malicious content providers (we’ll call them ‘malware’ in this article).
As most Twitter users know, URLs are typically shortened using URL shorteners such as Bit.ly (which also powers j.mp) and Tr.im (which is now open-source) so as to minimise the number of characters used by the URL. For example, the URL https://www.organicweb.com.au/1566/management/leica-kgb-nsa/ is shortened as http://br.st/0io using Br.st, a free URL shortening service.
Why Spammers Love Twitter
Unfortunately, the shortened URL does not indicate anything about the full URL to which it redirects. Research by the security software company Mcafee has shown that 1 in 5 of ‘.hk’ top level domains (TLD) is rated as risky to access while 1 in 10 ‘.cn’ domain names is likely to contain malware or other suspect content. By contrast, ‘.gov’ and ‘.jp’ websites are extremely unlikely to contain malware. URL shorteners mean that we become unaware of the TLD of the URL. Malware distributers love Twitter because a URL can be masked so the viewer is unaware of the TLD (i.e if we knew that a URL ended in .hk we’d think twice about visiting that URL but a shortened URL doesn’t show the .hk).
The additional danger is that it is possible for blacklisted URLs to bypass security in browsers and security software by using shortened URLs. Great strides have been made over the years in collecting data about insecure websites. Google, Bing and other Search Engines exclude blacklisted sites from Search Engine Results Pages (SERPs). Most good Internet browsers also detect and block blacklisted URLs. The problem with shortened URLs is that they mask the original blacklisted URL so can, and often do, bypass Internet security software and blacklists.
How Malware spreads in Twitter
The free and instantly generated nature of URL shortening services is perfect for phishing, spamming malware and Trojan distributers. All a malware distributors need do is create a short URL and post a catchy and popular ‘tweet’ with the shortened URL. Due to the highly interactive nature of Twitter, it is likely that someone will visit the tweet and will likely click on the link. This is far more simple and effective for malware distributors than spamming or creating websites and relying on Search Engines to drive traffic to their malware spreading sites. In addition, once it becomes known that the short URL is a security risk all the malware distributor needs do is create another free short URL and another catchy and topical tweet; in a matter of a minute the malware distributor has a whole new audience who are unaware that s/he is a security risk.
How to be Twitter Security Aware
Certainly, Twitter security vulnerabilities have been widely publicised however the average user still appears unaware of the need to be wary of shortened URLs in anticipation that they may be links to Trojans or other malicious content. It is more important than ever to use online security software as well as keep Internet Browser and operating system software up to date.