Investigating a Shortened URL

NATHAN REID

DFIR Specialist 

linkedin.png

Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox

Shortened URLs are great for taking long, alpha-numeric character-heavy links and converting them into short and concise alternatives – perfect for reducing character count on things like social media or minimizing eye soreness in emails and other messages.

 

But when you click one of these shortened URLs, do you really know what lies on the other side? And how can you be certain that destination is friendly, and not laden with malicious intent?

 

In this article, we will cover common misuses of shortened URLs and some practical tips for investigating them.

 

Purposes for Short URLs

 

Many programs use URLs to carry session information (such as where the link is being used or where the user is coming from). The result of including all this “extra” information is often a URL that stands hundreds of characters long. For this reason, short URLs have become a convenient way for providers to publish content.

 

In addition to being convenient, URL shortening services can also provide useful statistics on the number of clicks a link receives, when, and from where.

 

If you are active on Twitter or LinkedIn, then you may already be using URL shortening without realizing it. Twitter shortens its own links automatically using the t.co domain, while LinkedIn shortens links used on the platform to avoid unsightly long links taking up the space of meaningful text. You may also notice when you share YouTube videos the provided share link is for the YouTube domain, another example of automatic shortening.

 

Misuse of Short URLs

 

A common technique used in phishing campaigns is obfuscating a malicious link, tricking the user into clicking what would otherwise be an easy-to-spot phishing attempt. One of the methods used to disguise these links is through a URL shortening service.

 

A URL shortening service takes a long link provided by a user and creates a shortened version, and a mapping between the two is maintained in an internal database. An example of a shortened URL is https://bit.ly/3eQsUNw, which when accessed redirects the user to the long URL https://www.blackpanda.com/post/17-july-2020-asia-cyber-summary.

 

The user is then able to access the long URL by visiting the short URL, making the link much easier to share across various mediums.

Passive Intelligence Collection From Link Providers

 

There are many popular URL shortening services available, and each offers their own way to investigate the original long link being shortened.

 

First is Bitly. By adding a + symbol at the end of the shortened URL we can identify the following features.

Another is TinyURL. We don’t get much information from this provider, but if you go to preview.tinyurl.com/[ID], you can identify the long link without navigating to the page.

Another service, Tiny.cc, only provides shortened URLs for whitelisted domains. If you add the tilde symbol (~) at the end of the link you can see the number of clicks over time. However, we cannot confirm that ‘clicks over time’ are accurate or updated regularly.

 

Bit.do provides an absolute wealth of information as shown below. Just add the ‘-’ (hyphen) symbol to the end of the URL to view the following display:

Lastly, the provider is.gd also requires users add a ‘-’ to the end of the link in order to view the long link without navigating to it.

Conclusion

Utilizing the above methods provides additional intelligence into an indicator used in an attack, without navigating to the attacker’s infrastructure. This is known as passive intelligence gathering and is a critical technique if you do not want to tip off the attacker.

 

Letting an attacker know that you are investigating them can lead to destructive attacks being deployed and infrastructure burned in order to cover their tracks. When this occurs, the blue team is put at a disadvantage as they no longer have the element of surprise and now do not know where this adversary is coming from.

Before using active methods ask the question: “Have I gathered enough information to detect the adversary if they change infrastructure?”.

Interested in speaking to a DFIR specialist? 

Services

Additional Resources

Copyright © 2020 Blackpanda.
All Rights Reserved.

HONG KONG

Room 37, Level 5, Core F

Cyberport 3

100 Cyberport Rd

Hong Kong

+852 6975 1099

SINGAPORE

6 Raffles Quay
#11-07
Singapore (048580)

+65 6692 9110

JAPAN

301, 2-7-18

Nishiazabu Minato-ku

Tokyo 106-0031

+81 80 2077 9824

MALAYSIA

D1-U3A-6 Solaris Dutamas

Jalan Dutamas 1

50480 Kuala Lumpur

+60 3 6206 2582

PHILIPPINES

Penthouse, World Plaza Bldg.

5th Ave., Bonifacio Global City

Taguig City 1634

+63 2 8250 6110

  • LinkedIn
  • Facebook
  • Twitter