{"id":21576,"date":"2023-08-25T15:53:24","date_gmt":"2023-08-25T11:53:24","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/link-shorteners-privacy-security\/21576\/"},"modified":"2023-08-25T15:53:24","modified_gmt":"2023-08-25T11:53:24","slug":"link-shorteners-privacy-security","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/link-shorteners-privacy-security\/21576\/","title":{"rendered":"The perils of short links"},"content":{"rendered":"

Short links are everywhere these days. All these bit.ly<\/em>, ow.ly<\/em>, t.co<\/em>, t.me<\/em>, tinyurl.com<\/em> and the like have long since become a familiar part of the online landscape. So familiar, in fact, that most users click on them without thinking twice. But thinking is never a bad thing. With that in mind, we explain below how short links work and what privacy and security threats they can pose.<\/p>\n

What happens when you click on a short link?<\/h2>\n

When you click on a short link, you almost<\/em> go straight to the intended destination, which is the address specified by the user who created the link. Almost, but not quite: the actual route takes a quick detour via the URL shortener service.<\/p>\n

The more efficient the service, the quicker this takes, and the smoother the transition to the end stop. Of course, the delay feels insignificant only to a person \u2014 we humans are rather slow. But for an electronic system, it\u2019s more than long enough to get up to all kinds of activity, which we\u2019ll discuss below.<\/p>\n

Why short links? The main reason is one of space: making a long link shorter means it takes up less of the screen (think mobile devices) and doesn\u2019t eat up the character limit (think social media posts). Alas, that\u2019s not all there is to it. The creators of short links may be pursuing their own goals, not necessarily driven by concern for users. Let\u2019s talk about them.<\/p>\n

Short links and user tracking<\/h2>\n

Have you ever wondered why many internet links are so long and unsightly<\/em>? It\u2019s usually because links encode all kinds of parameters for tracking click-throughs, so-called UTM tags<\/a>.<\/p>\n

Usually, these tags are deployed to determine where the user clicked on the link, and thus to evaluate the effectiveness of ad campaigns, placement on blogger pages, and so on. This is not done in the name of user convenience, of course, but for digital marketing.<\/p>\n

In most cases, this is a fairly harmless form of tracking that doesn\u2019t necessarily collect data from link clickers: often marketers are just interested in the source of traffic. But since this additional \u201cpackaging\u201d doesn\u2019t look very aesthetic, and often makes the URL insanely long, shortener services are often brought into play.<\/p>\n

What\u2019s more unpleasant from a privacy point of view is that URL shorteners don\u2019t limit themselves to redirecting users to the destination address. They also tend to harvest a host of statistics about the link clickers \u2014 so your data ends up in the hands not only of the creator of the short link through embedded UTM tags, but also of the owners of the URL shortener. Of course, this is the internet, and everyone collects some kind of statistics, but using a short link introduces another intermediary that holds data on you.<\/p>\n

Disguised malicious links<\/h2>\n

Besides violating your privacy, short links can threaten the security of your devices and data. As we never tire of repeating: always carefully check links<\/a> before clicking on them. But with short links, a problem arises: you never know for sure where it is you\u2019ll be taken.<\/p>\n

If cybercriminals use short links, the advice to check them becomes meaningless: you can only find out where a link points after clicking. And by then it may be too late \u2014 if the attackers exploit a zero-click vulnerability in the browser<\/a>, the infection can occur as soon as you land on the malicious site.<\/p>\n

Short links and dynamic redirects<\/h2>\n

Cybercriminals can also use link-shortening tools to change the target address as the need arises. Suppose that some attackers bought a database of millions of email addresses and used it to send out phishing messages with some kind of link. But here\u2019s the problem (for the attackers): the phishing site they created was quickly discovered and blocked. Rehosting it at a different address is not an issue, but then they would have to resend all the phishing mailshots.<\/p>\n

The solution (again, for the attackers) is to use a \u201cshimming\u201d service, which makes it possible to quickly change the URL users will visit. And the role of \u201cshims\u201d here can be played by URL shorteners, including ones originally created with dubious intentions in mind.<\/p>\n

With this approach, a link to the shimming service is added to the phishing email, which redirects victims to the phishers\u2019 site at their currently active address. Often, multiple redirects are used to further muddy the trail. And if the destination phishing site gets blocked, the cybercriminals simply host it at a new address, change the link in the shim, and the attack continues.<\/p>\n

Man-in-the-middle attacks<\/h2>\n

Some link-shortening tools, such as Sniply<\/em>, offer users more than just shorter links. They allow tracking the actions of link clickers on the actual destination site, which is effectively a man-in-the-middle<\/a> attack: traffic passes through an intermediate service node that monitors all data exchanged between the user and the destination site. Thus, the URL shortener can intercept anything it wants: entered credentials, social network messages, and so on.<\/p>\n

Personal spying<\/h2>\n

In most cases, short links intended for mass use are placed in social network posts or on web pages. But additional risks arise if one was sent to you personally \u2014 in a messenger or an email to your personal or work address. Using such links, an attacker who already has some information about you can redirect you to a phishing site where your personal data is pre-filled. For example, to a copy of a banking site with a valid username and a request to enter your password, or to the \u201cpayment gateway\u201d of some service with your bank card number pre-filled, asking you to enter a security code.<\/p>\n

What\u2019s more, such links can be used for doxing<\/a> and other types of tracking<\/a>, especially if the URL shortener service offers advanced functionality. For instance, our recent post about protecting privacy in Twitch<\/a> looked in detail at ways to de-anonymize streamers and how to counter them.<\/p>\n

How to stay protected<\/h2>\n

What to do about it? We could advise never to click on short links, but, in the vast majority of cases, URL shorteners are used for legitimate purposes, and short links have become so common that total avoidance isn\u2019t really an option. That said, we do recommend that you pay special attention to short links sent to you in direct messages and emails. You can inspect such links before clicking by copying and pasting them into a tool for checking short links, such as GetLinkInfo<\/a> or UnshortenIt<\/a>.<\/p>\n

However, there is a simpler method: a high-quality security solution with an integrated approach that takes care of security and privacy at the same time. For example, our Kaspersky Premium<\/a> has a Private Browsing component that blocks most known online trackers and thus prevents your online activities from being monitored.<\/p>\n

Our products also offer protection against online fraud and phishing, so rest assured that Kaspersky Premium<\/a>\u00a0will warn you in good time before landing on a dangerous site \u2014 even if the link was shortened. And, of course, the antivirus will guard against any attempts to infect your devices \u2014 including ones exploiting as-yet-unknown vulnerabilities.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

How URL shorteners work, how they can be used, and the privacy and security threats they pose.<\/p>\n","protected":false},"author":2726,"featured_media":21577,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1225,1486,9],"tags":[2622,36,76,43,695,97,240,683,521,783],"class_list":{"0":"post-21576","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-privacy","8":"category-threats","9":"category-tips","10":"tag-links","11":"tag-malware-2","12":"tag-phishing","13":"tag-privacy","14":"tag-scam","15":"tag-security-2","16":"tag-spam","17":"tag-spying","18":"tag-threats","19":"tag-tracking"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/link-shorteners-privacy-security\/21576\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/link-shorteners-privacy-security\/26114\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/link-shorteners-privacy-security\/10977\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/link-shorteners-privacy-security\/28806\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/link-shorteners-privacy-security\/26422\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/link-shorteners-privacy-security\/26671\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/link-shorteners-privacy-security\/29163\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/link-shorteners-privacy-security\/28018\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/link-shorteners-privacy-security\/48856\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/link-shorteners-privacy-security\/20986\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/link-shorteners-privacy-security\/21756\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/link-shorteners-privacy-security\/30479\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/link-shorteners-privacy-security\/34593\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/link-shorteners-privacy-security\/32415\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/link-shorteners-privacy-security\/32080\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/privacy\/","name":"privacy"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/21576","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2726"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=21576"}],"version-history":[{"count":0,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/21576\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/21577"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=21576"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=21576"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=21576"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}