frenta - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

How can shortened URLs carrying malicious links be detected?

While shortened URLs are convenient and space-saving, they can potentially lead users to malicious websites. Enterprise threats expert Nick Lewis explains how to avoid the threat.

I understand why companies want to use URL shorteners such as Bitly, but can't these links redirect users to flawed...

or even malicious URLs? What ways can these shortened URLs be exposed to ensure users don't click on malicious links?

URL shorteners have a checkered past in terms of security, but not much has changed in the last couple years regarding defenses against their security pitfalls.

An enterprise could help minimize the risks from URL shorteners as attack vectors by using an internal URL shortener that allows branding (such as including the enterprise's website in the URL), or by using SSL in the URL shortener.

Enterprises should also ensure their custom or branded URL shortener isn't being used to create malicious short URLs by requiring authentication and performing a malware check on the URL prior to shortening.

Web applications have been abused in the past by shortened URLs due to insecure Web application security practices. The Open Web Application Security Project added un-validated redirects and forwards to its OWASP Top Ten list in 2013 and included guidance on how to prevent a Web application from being vulnerable.

Given the large number of ways for an endpoint to get compromised, it may be more effective to first secure the endpoint itself before trying to educate users to not click on shortened links. If an enterprise wishes, it could implement an additional control that allows users to preview shortened URLs before clucking on them.

However, it's also worthwhile to include instructions for employees to not click untrusted malicious links, or to be wary of untrusted URLs as part of security awareness training. In addition, teach employees how to identify if their computer has been compromised, since even trusted URLs can be used for malicious purposes via DNS hijacking, malicious banner ads and so on.

Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your questions now via email! (All questions are anonymous.)

Next Steps

View additional URL shortening risks and security best practices.

This was last published in March 2015

Dig Deeper on Security Awareness Training and Internal Threats-Information