CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
Purdue University - Discovery Park
Center for Education and Research in Information Assurance and Security

Do you know where you’re going?


[tags]phishing, web redirection[/tags]
Jim Horning suggested a topic to me a few weeks ago as a result of some email I sent him.

First, as background, consider that phishing and related frauds are increasingly frequent criminal activities on the WWW.  The basic mechanism is to fool someone into visiting a WWW page that looks like it belongs to a legitimate organization with which the user does business.  The page has fields requesting sensitive information from the user, which is then used by the criminals to commit credit card fraud, bank fraud or identity theft.

Increasingly, we have seen that phishing email and sites are also set up to insert malware into susceptible hosts.  IE on Windows is the prime target, but attacks are out there for many different browsers and systems.  The malware that is dropped can be bot clients, screen scrapers (to capture keystrokes at legitimate pages), and html injectors (to modify legitimate pages to ask for additional information).  It is important to try to keep from getting any of this malware onto your system.  One aspect of this is to be careful clicking on URLs in your email, even if they seem to come from trusted sources because email can be spoofed, and mail can be sent by bots on known machines.

How do you check a URL?  Well, there are some programs that help, but the low-tech way is to look at the raw text of a URL before you visit it, to ensure that it references the site and domain you expected.

But consider the case of short-cut URLs.  There are many sites out there offering variations on this concept, with the two I have seen used most often being “TinyURL” and “SnipURL”.  The idea is that if you have a very long URL that may get broken when sent in email, or that is simply too difficult to remember, you submit it to one of these services and you get a shortened URL back.  With some services, you can even suggest a nickname.  So, for example, short links to the top level of my blog are <http://tinyurl.com/2geym5>, <http://snipurl.com/1ms17> and <http://snurl.com/spafblog>.

So far, this is really helpful.  As someone who has had URLs mangled in email, I like this functionality.

But now, let’s look at the dark side.  If Jim gets email that looks like it is from me, with a message that says “Hey Jim, get a load of this!” with one of these short URLs, he cannot tell by looking at the URL whether it points somewhere safe or not.  If he visits it, it could be a site that is dangerous to visit (Well, most URLs I send out are dangerous in one way or another, but I mean dangerous to his computer. grin).  The folks at TinyURL have tried to address this by adding a feature so that if you visit <http://preview.tinyurl.com/2geym5> you will get a preview of what the URL resolves to; you can set this (with cookies) as your default.  That helps some.

But now step deeper into paranoia.  Suppose one of these sites was founded by fraudsters with the intent of luring people into using it.  Or the site gets acquired by fraudsters, or hijacked.  The code could be changed so that every time someone visits one of these URLs, some code at the redirect site determines the requesting browser, captures some information about the end system, then injects some malicious javacode or ActiveX before passing the connection to the “real” site.  Done correctly, this would result in largely transparent compromise of the user system.  According to the SnipURL statistics page, as of midnight on May 30th there have been nearly a billion clicks on their shortened URLs.  That’s a lot of potential compromises!

Of course, one of the factors to make this kind of attack work is for the victim to be running a vulnerable browser.  Unfortunately, there have been many vulnerabilities found for both IE and Firefox, as well as some of the less well-known browsers.  With users seeking more functionality in their browsers, and web designers seeking more latitude in what they deliver, we are likely to continue to see browser exploits.  Thus, there is likely to be enough of a vulnerable population to make this worthwhile.  (And what browser are you using to read this with?)

I should make it clear that I am not suggesting that any of these services really are being used maliciously or for purposes of fraud.  I am a happy and frequent user of both TinyURL and SnipURL myself.  I have no reason to suspect anything untoward from those sites, and I certainly don’t mean to suggest anything sinister.  (But note that neither can I offer any assurances about their motives, coding, or conduct.)  Caveat emptor.

This post is simply intended as commentary on security practices.  Thinking about security means looking more deeply into possible attack vectors.  And one of the best ways to commit such attacks is to habituate people into believing something is safe, then exploiting that implicit trust relationship for bad purposes. 

Hmm, reminds me of a woman I used to date.  She wasn’t what she appeared, either….  But that’s a story for a different post. 

[posted with ecto]


Posted by Michael
on Thursday, May 31, 2007 at 01:02 PM

I never found these services useful. Even the short URL is hard to remember.

Posted by Lee
on Sunday, June 17, 2007 at 10:26 PM

Actually, phishing is all about tricking someone into revealing their personal details via a multitude of mediums. Typically, deceptive emails are employed for this purpose.

The act of tricking someone into giving up their personal data on a spoofed website is in fact a newer type of scam known as pharming. This can be made more effective when malicious code is embedded in the vistim’s browser.

This has the effect of secretly redirecting them to the pharming website, even when they have typed in the true url of a site.

Posted by Steve
on Tuesday, July 3, 2007 at 06:18 PM

Another item to consider:  how much free information are you giving the URL shorteners about your browsing habits?

Posted by Ivan Krsul
on Wednesday, July 4, 2007 at 04:23 AM

For years I have been struggling with the dilemma Security vs. Functionality.  TinyURL and such services address a real issue:  Longs URLS are harder to type and they get broken into several lines in some email readers.  Have you ever tried sending someone a URL from Amazon.com?  This is what they look like: http://amazon.com/books-used-books-textbooks/b/ref=gw_br_bo/002-5242883-9291221?%5Fencoding=UTF8&node=283155&pf_rd_m=ATVPDKIKX0DER&pf_rd_s=left-nav-1&pf_rd_r=0M9719MXEDPSKT4TAH48&pf_rd_t=101&pf_rd_p=285525001&pf_rd_i=507846

Links within Cerias are not that easy to type either. For example: http://www.cerias.purdue.edu/weblogs/pmeunier/kudos-opinions-rants/post-106/more-javascript-browser-attacks-meanwhile-isc2-requires-javascript-and-all-is-well/

And many, may of the links in Web-heads mail I can’t open because the URL gets broken into several lines.  Rather than manually fixing the problem, and copying the URL part by part to the Browser, I just delete the email.  I estimate that I delete about 50% of the Web-heads email I get because the URLS are broken.

Security must also be usable.  So long as security makes life hard, people will continue to invent such nifty solutions as TinyURL.  As a mater of fact, I am willing to bet that people are willing to tolerate some security breaches for the sake of comfort and convenience. 

Hence, the question is “what is the secure alternative”?

Posted by Ed Finkler
on Friday, July 6, 2007 at 04:22 AM

I can speak to why many links are long on the CERIAS site, as I’m responsible for them: it’s primarily an issue of recognition from search engines.  URLs that contain parse-able information about the subject matter of the document “score higher” than those that don’t.  I do think we can do a bit more to shorten the URLS we use, though, and we’ll likely make some changes in the near-mid future.

I also find it to be a usability issue, in that an URLs like this give me an idea of what to expect when I click.  I personally *really* dislike URLs that just give me a series of digits, although some of those appear on the CERIAS site as well (for now).

Ultimately, I don’t think “deep-linking” URLs can, or should be expected to be, type-able.  I look at them more like tokens that we pass around via copy and paste, via email or IM or other means.  We do sometimes set up much shorter URLs on the CERIAS site to give what we might call a “top-level” URL to a deep-link, especially if we know they will be used in print materials—we even have an internal tool for creating these kind of short URLs.  However, I don’t really think that the web as a medium can be expected to play entirely nicely with a static medium like print.

Of course, my expectations and usage patterns are going to color what I expect and how I implement our applications.  I haven’t read much on URL length and descriptiveness as it related to usability, but I’d be interested to do so.

Long URLs in (text) email are a real problem, and the handling of them varies a lot from client to client.  The closest thing to a consistent solution I’ve found is to wrap the link in < > characters, like: <thisisareallylonglink>.  Even if it’s forced to wrap, all of the GUI email clients I’ve used seem to keep the link functioning correctly.

Posted by Daniel Chien
on Sunday, July 8, 2007 at 02:25 PM

I have a simple way to detect phishing website by checking the IP address of the phishing website.  On the Internet, everyone has an IP address.  You can not fake your IP address due to 2-way routing. Phishing website must use an IP address and can not be same as legitimate financial institution IP address.  By compare the IP address, we know this is a phishing website or not.

Leave a comment

Commenting is not available in this section entry.