Problem solve Get help with specific problems with your technologies, process and projects.

How can shortened URLs carrying malicious links be detected?

While shortened URLs are convenient and space-saving, they can potentially lead users to malicious websites. Enterprise threats expert Nick Lewis explains how to avoid the threat.

I understand why companies want to use URL shorteners such as Bitly, but can't these links redirect users to flawed...

or even malicious URLs? What ways can these shortened URLs be exposed to ensure users don't click on malicious links?

URL shorteners have a checkered past in terms of security, but not much has changed in the last couple years regarding defenses against their security pitfalls.

An enterprise could help minimize the risks from URL shorteners as attack vectors by using an internal URL shortener that allows branding (such as including the enterprise's website in the URL), or by using SSL in the URL shortener.

Enterprises should also ensure their custom or branded URL shortener isn't being used to create malicious short URLs by requiring authentication and performing a malware check on the URL prior to shortening.

Web applications have been abused in the past by shortened URLs due to insecure Web application security practices. The Open Web Application Security Project added un-validated redirects and forwards to its OWASP Top Ten list in 2013 and included guidance on how to prevent a Web application from being vulnerable.

Given the large number of ways for an endpoint to get compromised, it may be more effective to first secure the endpoint itself before trying to educate users to not click on shortened links. If an enterprise wishes, it could implement an additional control that allows users to preview shortened URLs before clucking on them.

However, it's also worthwhile to include instructions for employees to not click untrusted malicious links, or to be wary of untrusted URLs as part of security awareness training. In addition, teach employees how to identify if their computer has been compromised, since even trusted URLs can be used for malicious purposes via DNS hijacking, malicious banner ads and so on.

Ask the Expert!
Want to ask Nick Lewis a question about enterprise threats? Submit your questions now via email! (All questions are anonymous.)

Next Steps

View additional URL shortening risks and security best practices.

This was last published in March 2015

Dig Deeper on Security Awareness Training and Internal Threats-Information

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I agree that employee education is going to be important in how to avoid shortened URLs with malicious links. In addition to education, one approach we’ve taken to help minimize the impact of malicious links or phishing emails is to have people contact the service desk when they receive a suspicious link or email. The service desk can then work quickly with the information security and corporate communications teams to isolate the threat and inform the rest of the company of the potential threat. When combined with other security told, has proven successful (on more than one occasion) in identifying a risk and addressing it before anything happened.
This article is excellent for us Bitly users who want to prevent malicious link attacks for potential customers by requiring authentication and securing the endpoint.
Good piece. I had no idea you could figure out how shortened links were good or bad. I just keep an eye out for known URLs and also don't click on stuff that comes from untrusted sources. Thanks for the info.
One possible solution could involve some proxy monitoring for such types of links, checking the redirected to link for safe or black listed content.  There is no shortage for Education as Mcorum suggests though.   Some shortening services give you a preview of the final link though.
Educating employees is really important as I'm sure many do not realize the consequences from using the shortened URLs. Taking the extra step to notify one's IT department of any suspicious links or phishing emails can save the company a lot of headaches.

" .....it could implement an additional control that allows users to preview shortened URLs before "clucking" on them."

haha :-)