50 votes

How I accidentally made my link shortener into a malware honeypot

21 comments

  1. [18]
    skybrian
    Link
    From the article: Saved as an article to point to when people ask why we can’t have nice things.

    From the article:

    Malware came on day one. Some of the very earliest links that were submitted were obviously phishing links: fake login pages for Microsoft Online, made in free website builders. It dawned on me that of all the people most incentivized to find new free link shorteners are cybercriminals who keep getting banned from the other ones! They need link shorteners to obscure their traffic and make it harder to block their malicious pages.

    Saved as an article to point to when people ask why we can’t have nice things.

    61 votes
    1. [18]
      Comment deleted by author
      Link Parent
      1. [3]
        Minori
        Link Parent
        I've used link shorteners and QR codes for presentations. Phones can easily scan the QR code while laptops can quickly type in a short link.

        I've used link shorteners and QR codes for presentations. Phones can easily scan the QR code while laptops can quickly type in a short link.

        28 votes
        1. [2]
          TheBeacon
          Link Parent
          Also link shorteners in QR codes. The more data a QR code needs to store the smaller and more numerous the dots get, which can matter in bad lighting conditions, when using poor quality printers...

          Also link shorteners in QR codes.

          The more data a QR code needs to store the smaller and more numerous the dots get, which can matter in bad lighting conditions, when using poor quality printers or small print sizes, or the scanning devices have low resolution cameras.

          With less data you can also go ham on QR code decorations like company logos, or even whole QR code art, since you have more room for error correction which is what keeps it functional in spite of alterations.

          16 votes
          1. turmacar
            Link Parent
            Also rfid/nfc tags for the same reason, space is limited.

            Also rfid/nfc tags for the same reason, space is limited.

            1 vote
      2. [3]
        skybrian
        (edited )
        Link Parent
        When using HTML or Markdown you don't need them, but some forums like Hacker News don't support it. Instead you post the full URL, and it automatically links it. These long URL's are clutter. My...

        When using HTML or Markdown you don't need them, but some forums like Hacker News don't support it. Instead you post the full URL, and it automatically links it.

        These long URL's are clutter. My workaround is to put the link in a footnote, rather than using a link shortener.

        Also, some people like the analytics, so they can see if anyone clicked.

        Edit: also, Tildes topic URL's are technically somewhat like a link shortener. The last part of the URL is optional. (Though without the problems, since they only go to Tildes pages.)

        15 votes
        1. [2]
          SirDeviant
          Link Parent
          Some forums don't allow hyperlinks to prevent disguising a malicious link as a safe one. E.g. [google.com](malware.com) Discord used to prevent hyperlinks outside of webhooks, but it seems like...

          Some forums don't allow hyperlinks to prevent disguising a malicious link as a safe one.

          E.g. [google.com](malware.com)

          Discord used to prevent hyperlinks outside of webhooks, but it seems like they're rolling that feature out.

          6 votes
          1. Minty
            Link Parent
            The shortening should happen automatically and out of control of the user, I believe. Always showing the domain and the path, then it depends on the total length.

            The shortening should happen automatically and out of control of the user, I believe. Always showing the domain and the path, then it depends on the total length.

            1 vote
      3. JCPhoenix
        Link Parent
        Physical media. ie Paper. It's nice to have a nice short sweet link to a webpage. QR codes are certainly a way around that. Though QR codes might be problematic if the brochure or letter has...

        Physical media. ie Paper. It's nice to have a nice short sweet link to a webpage. QR codes are certainly a way around that. Though QR codes might be problematic if the brochure or letter has several links, but then again, a QR code to a website could then serve all those other links.

        10 votes
      4. DeaconBlue
        Link Parent
        They are nice when you want to physically take a link to another computer for whatever reason, which doesn't happen to me as often as it used to. On occasion though, it is faster and easier to...

        They are nice when you want to physically take a link to another computer for whatever reason, which doesn't happen to me as often as it used to.

        On occasion though, it is faster and easier to write down urlshortener/abc123 on a post it note and pocket it than alternatives.

        9 votes
      5. jackson
        Link Parent
        I have a private shortener that I use for presentations- I manually edit a Cloudflare K/V table to create a new link, so no risk of malware being distributed through it. Looks nice since it's on...

        I have a private shortener that I use for presentations- I manually edit a Cloudflare K/V table to create a new link, so no risk of malware being distributed through it.

        Looks nice since it's on my own domain, works great for QR codes (which work better at a distance when they're simple), and allows people to quickly type them in if they don't want to use their phones.

        I don't use it too terribly much, but it's running on a serverless function so it's not like I'm paying to run it 24/7 (usage has always fallen into free tier anyways).

        I've also implemented URL shorteners in applications as a part of the app, but that's again been done without an actual UI, just to make ridiculously long URLs (like data display configurations) presentable. Those usually don't make the URL "short," the unique reference is just a UUID, but it's an improvement from the several hundred character length of the original URL.

        9 votes
      6. [2]
        unkz
        Link Parent
        One interesting use is to link to articles by organizations that you hate and don’t want to pass any SEO benefits to by sharing bare links, eg if you wanted to link to some particular post on...

        One interesting use is to link to articles by organizations that you hate and don’t want to pass any SEO benefits to by sharing bare links, eg if you wanted to link to some particular post on stormfront‘a website. There is a shortener just for that purpose but, amusingly, I forget the URL.

        5 votes
        1. [2]
          Comment deleted by author
          Link Parent
          1. unkz
            Link Parent
            The link shortener I was thinking of is donotlink.com but it turns out it's dead now. Most other link shorteners will pass SEO strength along with them though, as you have to explicitly tell...

            The link shortener I was thinking of is donotlink.com but it turns out it's dead now. Most other link shorteners will pass SEO strength along with them though, as you have to explicitly tell google not to follow the redirect, which I don't think many of them do.

            3 votes
      7. [3]
        em-dash
        Link Parent
        I used to maintain one at a past job. We used it to shorten links in SMS messages because modern URLs are huge and we paid per 160-character segment.

        I used to maintain one at a past job. We used it to shorten links in SMS messages because modern URLs are huge and we paid per 160-character segment.

        5 votes
        1. [3]
          Comment deleted by author
          Link Parent
          1. em-dash
            Link Parent
            Our links were mostly user content (the application was a messaging thing, we had an app and a website but also supported SMS delivery). We got quite a few angry emails from Amazon for "hosting"...

            Our links were mostly user content (the application was a messaging thing, we had an app and a website but also supported SMS delivery).

            We got quite a few angry emails from Amazon for "hosting" phishing/scam sites. You'd think having a way to report messages containing malicious links and then banning the users and deleting their links would be enough, but no, these people were more clever than that: they'd register two accounts, send a link to themselves, and then take the shortened link and use it elsewhere to try to scam people. We wouldn't know until we got another angry email from Amazon. Most people weren't smart and/or motivated enough to find out who runs a link shortener and go report it to their host, so they'd often be in use for weeks or months by that time.

            In the end, what seemed to work the best was shadowbanning domains: we'd check if we were about to redirect to anything in the list, and if so, silently delete that short link and 404 the request instead. I assume this made the process just annoying enough for them to go abuse someone else's link shortener. When I left the company, the list was only about 10 domains long and hadn't changed in months.

            4 votes
          2. ThrowdoBaggins
            Link Parent
            That’s a tricky situation — unless I’m getting a bunch of shortened links from the same company in a short enough time span to learn that they’re legit, customised branded link shorteners look a...

            That’s a tricky situation — unless I’m getting a bunch of shortened links from the same company in a short enough time span to learn that they’re legit, customised branded link shorteners look a lot like feeble phishing attempts to my untrained eye.

            I know I reported several SMS in the span of two or three months to a government scamwatch program because I didn’t realise Australia Post recently adopted their own link shortener, and I even missed a parcel because I assumed the link was malicious (“your parcel is due for delivery later today, click this unfamiliar link to allow us to leave it in a safe place if nobody is home”)

      8. OBLIVIATER
        Link Parent
        They used to be a lot more useful than they are now. With things like Linktree and the like, they've become less useful.

        They used to be a lot more useful than they are now. With things like Linktree and the like, they've become less useful.

        3 votes
      9. [2]
        papasquat
        Link Parent
        They're useful in any situation where a human needs to type in a URL, especially with a url with a lot of parameters. Think of a business card, or a flyer, or a poster.

        They're useful in any situation where a human needs to type in a URL, especially with a url with a lot of parameters. Think of a business card, or a flyer, or a poster.

        1 vote
        1. [2]
          Comment deleted by author
          Link Parent
          1. skybrian
            Link Parent
            There are also link shorteners that are used within an organization. Here’s an article about how it’s done at Google.

            There are also link shorteners that are used within an organization. Here’s an article about how it’s done at Google.

            1 vote
  2. [3]
    devalexwhite
    Link
    I used to run MetaShort, a link shortener that allowed one to change the title/description/image that show up when you share a link on social media. While it was used by a lot of legitimate users...

    I used to run MetaShort, a link shortener that allowed one to change the title/description/image that show up when you share a link on social media. While it was used by a lot of legitimate users (especially my paying customers), it obviously attracted many nefarious users as well (think changing the the summary of a news article while keeping the legit URL).

    While I tried to keep up with scrubbing out bad actors, I eventually got blacklisted by Twitter, which basically killed the service. I probably should have followed the authors direction and restricted it to paying users only.

    17 votes
    1. [3]
      Comment deleted by author
      Link Parent
      1. [2]
        langis_on
        Link Parent
        Every single article posted on Facebook by big media companies is overrun with scammers who use link shorteners like this.

        Every single article posted on Facebook by big media companies is overrun with scammers who use link shorteners like this.

        3 votes
        1. [2]
          Comment deleted by author
          Link Parent
          1. langis_on
            Link Parent
            Actually I was wrong. They don't use link shorteners, they just link to different accounts pages where then they push their scams. I've noticed a lot of scammers just make fake Google sites and...

            Actually I was wrong. They don't use link shorteners, they just link to different accounts pages where then they push their scams. I've noticed a lot of scammers just make fake Google sites and push their stuff with that as well. If you go click on any WashingtonPost article, you'll see what I mean.

            2 votes