NEWS FROM THE LAB - Monday, April 18, 2011

The Increasingly Shapeshifting Web Posted by Sean @ 17:27 GMT

Short URL services are problematic, and they are becoming even more so in combination with IP location technologies.

From twitter.com earlier today:


If you look closely, you'll notice it's one spambot, @olasher, replying to another spambot, @MorabsShimb3554. Lame, right?

Well, the @olasher account was too obvious, Twitter suspended the account within hours of its creation. The @MorabsShimb3554 is more subtle however, and attempts to fly under the radar (successfully so far) by asking the reader to "copy & paste" the ow.ly link.

The ow.ly short link directs through maxbounty.com, and from Finland, redirects to http://fi.toluna.com/Register.aspx, but with an affiliate ID attached, which is how the spammer hopes to make money.

There's no good way of telling just how many sites the ow.ly link opens, it's entirely subjective to the user's point of origin (IP address) and the number of MaxBounty commissions.

Twitter has a very nice tool tip feature that attempts to help by expanding short URLs, but it suffers from being too USA-centric. The links displayed are based on twitter.com's home IP address. It works great for legitimate links, but not always so well for spammy and/or malicious links, because results vary according to location.

And sometimes Twitter can't expand to the end point for some other reason.

Let's look at the link that was being pushed by @olasher:


It pointed to adf.ly, that's another short URL service, one which attempts to monetize short URL with an advertisement that the viewer needs to click past.


From a Finnish based IP address, the adf.ly URL will open to legitimate sites such as Groupon's citydeal.fi. Again, with an affiliate ID attached. There could be many dozens of variations within Europe alone.

Groupon, CityDeal

Once you click to skip the ad, you'll be directed to amazon.com.

Amazon affiliate iPad

And yes, there's another affiliate ID on the iPad 2 page as well.

All of the links used in this example are rather harmless. Unfortunately, short URL services with IP location technologies and benign affiliate ID spam are just the tip of the iceberg. More malicious links are on the horizon.

So what can be done?

Feature suggestion to bit.ly et al. — disallow URL to other short URL services, there's no real legitimate reason for this.

Short URLs are useful, please make them less so for spammers and scareware vendors.