Symantec: Spammers Create Shortened URL Services

Symantec’s October 2011 Intelligence Report has uncovered evidence that spammers are now using their own URL shortening services for the first time.

Over 80 URL shortening sites available to the public have been uncovered, using the “.info” top-level domain, that will generate real shortened links, although they have only been seen in spam emails so far.

False sense of security

Spammers have been using shortened URLs for some time now because their widespread use on social networks has increased familiarity and lulled users into a false sense of security.

A 2009 survey revealed that users of social networks such as Facebook, LinkedIn and Twitter were behaving in ways that put their Internet security at risk. These links often lead users to malicious sites or phishing scams and, during 2010, 92 percent of spam emails contained links with those featuring shortened URLs harder for anti-spam countermeasures to recognise.

Symantec has previously warned users against the dangers associated with shortened URLs and Twitter has since taken action, bringing the total level down dramatically. However, legitimate services are much quicker to respond to abuses.

Paul Wood, senior intelligence analyst at Symantec Cloud said, “It is possible that spammers are setting up their own URL shortening sites since legitimate shortening sites, which have long suffered with abuse, have slightly improved their detection of spam and other malicious URLs. It’s not fully clear why the sites are public. Perhaps this is simply due to laziness on the spammers’ part, or perhaps an attempt to make the site seem more legitimate.”

Bradley Anstis, vice president of technical strategy at M86 security added, “The evidence that spammers have developed their own URL shortening service is yet another example of cybercriminals adopting new technology and using this to bypass traditional security measures. This is precisely why we have developed technology that looks at the intent of code embedded within email and Web content, rather than relying solely on updates of signature-based databases.”