3d humanoid character push a button on a black background

Obfuscated URLs, where is that link taking you?

What is a URL?

A URL (uniform resource locator) is a pointer to a web resource (usually a site) and a mechanism to retrieve it. Most of the times when people use this term they will mean a clickable link to a website.

URL shorteners

URL shorteners were invented to enable users to post URLs in messages where they only have a (very) limited number of tokens to send (e.g. Twitter, who use their own shortening-service at t.co).

twitter

The URL shorteners can also have their usefulness if the receiver has to manually type the URL instead of copy and paste it.

Abuse

As with many other things, soon after the “use” came the “abuse”. URL shortening was used to circumvent blacklists, beautify links you would normally never had clicked and fool people into thinking they were visiting a site while it was just an imitation.

Scammers have been known to use this technique to trick their victims into visiting sites. Consider for example this URL : safe to click. First of all we have to hover over the link the read the URL. In the URL we see bit.ly and that tells the experienced reader we are dealing with a shortened URL, because bitly.com is one of the sites that offers a shortening service.

Countermeasures

For scammers the fact that the victim can’t see where the URL leads is a big advantage. So when sites like tinyurl.com started to offer a site where we can preview where their shortened links lead, scammers started using their own URL shorteners. Without offering preview services obviously. So sites like longurl.org and CheckShortURL.com started to come up, where you can preview shortened links from many, many URL shortening services.

lengthener

Time for another quick glance at our example. The preview above for http://bit.ly/1hQyL83 URL could lead you to believe that you will visit some Google results. But if you actually click it you “should” end up on my profile at the Malwarebytes Unpacked blog.

Check links using stats

Some URL shortening services also offer the option to check the URLs by looking at the statistics of that URL. In the case of a bit.ly URL you can view this by simply adding a “+ “ sign at the end of the URL, like this https://bitly.com/1hQyL83+. With goo.gl you can have a look at the statistics by adding “.info” at the end of the URL.

Encoded search engine URLs

The other technique I used in my example was to use the link I copied from the Google search results. The actual URL can be read in the switch url=https%3A%2F%2Fblog.malwarebytes.org%2Fauthor%2Fmetallicamvp where “%3A” stands for “:” and “%2F” = “/” This conversion is called URL encoding and although unintentional, it does not make them easier to read.

Precautions

In the course of this article we have handed you a few tools to investigate links that you don’t trust. We realize that this is a lot of work. We didn’t use this many links in this article by accident. Always at least consider the source. That link in the mail claiming your long lost uncle left you a fortune might not be what it seems to be. Also there are many safe-browsing tools that can help you to avoid online scams and other untrustworthy sites. Another recommendation is Malwarebytes Anti-Exploit that can protect you in case scammers lead you to a site that wants to infect you with malware.

As always: Save yourself the hassle and get protected.

Resources:

CheckShortURL

W3Schools: URL Encoding

 

Pieter Arntz

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.