Two years of short URLs internet measurement: security threats and countermeasures
Authors:Federico Maggi, Alessandro Frossi, Stefano Zanero, Gianluca Stringhini, Brett Stone-Gross, Christopher Kruegel, Giovanni Vigna
Proceedings of the 22nd international conference on World Wide Web (WWW)
Journal Article
Abstract
URL shortening services have become extremely popular. However, it is still unclear whether they are an effective and reliable tool that can be leveraged to hide malicious URLs, and to what extent these abuses can impact the end users. With these questions in mind, we first analyzed existing countermeasures adopted by popular shortening services. Surprisingly, we found such countermeasures to be ineffective and trivial to bypass. This first measurement motivated us to proceed further with a large-scale collection of the HTTP interactions that originate when web users access live pages that contain short URLs. To this end, we monitored 622 distinct URL shortening services between March 2010 and April 2012, and collected 24,953,881 distinct short URLs. With this large dataset, we studied the abuse of short URLs. Despite short URLs are a significant, new security risk, in accordance with the reports resulting from the observation of the overall phishing and spamming activity, we found that only a relatively small fraction of users ever encountered malicious short URLs. Interestingly, during the second year of measurement, we noticed an increased percentage of short URLs being abused for drive-by download campaigns and a decreased percentage of short URLs being abused for spam campaigns. In addition to these security-related findings, our unique monitoring infrastructure and large dataset allowed us to complement previous research on short URLs and analyze these web services from the user's perspective.
@InProceedings{ maggi_longshore_2013,
abstract = {URL shortening services have become extremely popular.
However, it is still unclear whether they are an effective
and reliable tool that can be leveraged to hide malicious
URLs, and to what extent these abuses can impact the end
users. With these questions in mind, we first analyzed
existing countermeasures adopted by popular shortening
services. Surprisingly, we found such countermeasures to be
ineffective and trivial to bypass. This first measurement
motivated us to proceed further with a large-scale
collection of the HTTP interactions that originate when web
users access live pages that contain short URLs. To this
end, we monitored 622 distinct URL shortening services
between March 2010 and April 2012, and collected 24,953,881
distinct short URLs. With this large dataset, we studied
the abuse of short URLs. Despite short URLs are a
significant, new security risk, in accordance with the
reports resulting from the observation of the overall
phishing and spamming activity, we found that only a
relatively small fraction of users ever encountered
malicious short URLs. Interestingly, during the second year
of measurement, we noticed an increased percentage of short
URLs being abused for drive-by download campaigns and a
decreased percentage of short URLs being abused for spam
campaigns. In addition to these security-related findings,
our unique monitoring infrastructure and large dataset
allowed us to complement previous research on short URLs
and analyze these web services from the user's
perspective.},
author = {Maggi, Federico and Frossi, Alessandro and Zanero, Stefano
and Stringhini, Gianluca and Stone-Gross, Brett and
Kruegel, Christopher and Vigna, Giovanni},
booktitle = {Proceedings of the 22nd international conference on World
Wide Web (WWW)},
date = {2013-05},
file = {files/papers/conference-papers/maggi_longshore_2013.pdf},
isbn = {978-1-4503-2035-1},
location = {Republic and Canton of Geneva, Switzerland},
pages = {861--872},
publisher = {International World Wide Web Conferences Steering
Committee},
shorttitle = {LongShore},
title = {Two years of short URLs internet measurement: security
threats and countermeasures}}