The Social Graph of Malware

It bubbled into my consciousness this week that shortened URLs, which have of necessity become ubiquitous, may be a social-engineering-related security risk. [example of a URL-shortener: bit.ly] That’s because you have no way of knowing, before you click, exactly where it’s going to take you. By definition the shortened URL is a redirect to a second URL that you can’t see until you’ve clicked the short URL. You’re flying blind, because you click the short URL before you know where you’re ultimately going to end up. If you fall in with unscrupulous folks on Twitter, or if someone re-tweets, they could send you short URLs leading to poisoned sites. How can you avoid this?

Mashable reported over 90 such URL-redirecting sites in January, 2008. Your salvation may still lie in 1] Google scans of malware sites (Firefox Preferences->Security “suspected attack site” checkbox); and 2] the NoScript plug-in for FireFox.

Just incidentally, if you use TweetDeck to read your Twitter messages, any URL you click is first exposed to you in a pop-up layer so you can make your own decision on whether to continue to the ultimate destination.

There’s an article in TechRepublic from early this year on how such perfidy might take place. Here’s a thoroughly researched article on this phenomenon that appeared later on. And a similar in-depth article posted on the same day.