Could URL-shortening Websites Be Used By Scammers?

I, and quite a few of the folk I correspond with, have been using what looks on the surface to be a great new feature of the Internet: Services that turn an unwieldy link into a short one. Enter the link you want to send someone into their website and it will create a unique URL, usually no more than a few characters long. Great for some of those really long links that are longer than one line. Already there are more than a dozen of these services in existence, and they’re all free.

The problem: You have no way of knowing what the original link was without going to that webpage. That’s because the new shorter URL contains only the name of the service and then some letters, as in http://snipurl.com/3hun or http://lin.kz/?qdapy. Nothing in there to identify what the link actually takes you to, short of actually going there.

Now most times these services are used by friends, sending one link to another (I find they’re particularly useful in sending stuff to folk who might be intimidated or baffled by long links). And therein lies the problem. If ordinary users get used to receiving emails using links via these services, what is going to stop them from clicking on these links in a phishing email, or some other sort of scam? Indeed, the growing popularity of these services is going to make them attractive to such scammers: The more we use them, the more we will unthinkingly click on them, the more they will attract the scammers’ attention.

As far as I know there’s no layer of security involved in these services to stop scammers from using them. They require no registration (and this could be falsified anyway) and there’s no checking of links to see whether those links contain malicious code, fraudulent intent or illegal content (folk aren’t going to use them if they think their link is going to be vetted), so I don’t see any easy way for the services to avoid their abuse.

As far as I know this hasn’t happened yet. But I’m sure it will. Are these services going to fade away once this starts to happen? Are users going to rebel at ‘hidden’ URLs, after being battered by the increasingly sophisticated methods of disguise used by phishers?

12. April 2004 by jeremy
Categories: Internet life, Scams | Tags: , | 2 comments

Comments (2)

  1. I think I see what you’re getting at – users could come to foolishly trust URL-shortening websites, and forget to check the resulting URL. Of course there is no basis whatsoever for this trust, since these websites just spit out whatever they’re given.

    My advice, speaking as a web developer: Always glance at the domain name (e.g. paypal.com in https://www.paypal.com/) in the web browser’s address bar whenever you’re entering confidential details such as passwords – especially when you’ve been directed to a site from an email or instant message – and as long as your browser doesn’t have any security bugs, you’ll be OK.

  2. Of course, web browsers could make checking the domain name easier by displaying URLs in a more user-friendly way, e.g. with the domain names in boldface.

    I use the excellent Mozilla and Firefox web browsers and I’m not aware of a feature like that in those browsers. It seems like it would be simple enough to add, though.