A press query was passed to me concerning our blogs about the Russian bombings and the fact that criminals are making use of the topic to spread malware using blackhat SEO (Search Engine Optimization) and abuse of the twitter service.
See "Russian Metro Bombings: here come the ghouls" and "Here come (more of) the ghouls" for more information on the original story.
I was a little taken aback at the query: "Were all of the links [i.e. to the Twitter profiles] shortened (bit.ly, tinyurl, etc.) or were some complete links?" So this is how I answered (shortened slightly):
The information I have from other sources has all referred to shortened URLs, and obviously blackhats make a great deal of use of them in all sorts of contexts, from SEO poisoning to comment spam to dissemination of malicious emails through spam. Which is why I normally use shortening services that offer or force a facility to preview the real URL before opening it. Not that this removes all the risk, of course, but neither do services that blacklist known bad URLs, since these can change very quickly.
Today, however, I think I see why that question was asked. Yesterday (31st March) Julian Sobrier of Zscaler published a story on "Unlike popular belief, short links on Twitter aren't malicious", which you can find here.
Sobrier suggests, based on a sample of more than 1.3 million URLs from the public Twitter timeline, that only 773 (0.06%) of the links he checked against the Zscaler web filteringservice.
Well, that doesn't seem much, though if you happened to click on one of those links, you might think it was more than enough. And it seems that quite a few people were taken in by some of those Twitter links, enough to put the number of potential victims well into four figures, at least. (No, I'm not going to be more specific. This is guesswork, not statistics, though it is educated guesswork.) And, of course, Twitter is by no means the only vector for malicious URLs disguised by shortening, but that's a side issue.
There is an issue here that I can't altogether agree with, though. Sobrier explains: "I looked for malicious sites - phishing sites, malware, etc. I did not look for spam, only for pages that present a security risk to users."
I think this is problematical. In my view, spam is a security risk, for many reasons, even if it doesn't carry overt malware. At the very least, virtually all of what I'd call spam is to some extent fraudulent: phishing is a (very common) special case of messaging fraud, not a synonym for messaging fraud. Even if we assume that Zscaler accurately distinguishes between spam and malware-related messages, that suggests that if, like me, you don't regard spam as "harmless", there could be a high percentage of mesages that aren't malicious but do present some sort of security risk. (Let's save any discussion of how you compare the"seriousness" of different kinds of security risk for another time. But we can agree to differ on that point:.
But there's a further issue that calls the statistic into question. Zscaler's web site makes the interesting point that "of the bad sites in our competitors list 40% were no longer malicious when Zscaler scanned them." The point there seems to be that many malicious sites are, in fact, legitimate sites that are temporarily compromised. That may be a legitimate selling point, but it introduces a difficulty as far as this survey is concerned. It suggests the possibility that an unknown percentage of the shortened URLs examined may have been compromised at the time they were shortened, but were not flagged by Zscaler's filtering because the sites were no longer compromised. Fair enough in terms of the service's protective strategy, but if URLs were shortened as part of a malicious attack, it doesn't seem altogether right to say that they aren't malicious.
When we remove a virus from an infected file, we say it's been disinfected. We don't say that it was never infected in the first place. :)
By the way, since I first answered that question, I've seen a list of the malicious URLs that ESET Latin America talked about in their blog, referenced in my second blog on the topic. And yes, all the URLs were shortened.
David Harley FBCS CITP CISSP
