Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: URL Shortening Service Cligs Hacked - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
URL Shortening Service Cligs Hacked

A post over at Cligs talks about an intrusion with their URL shortening service.  In essence, an malicious individual got in and edited all the destination URLs to point to, likely for nefarious purposes. This exposes two problems with URL shortening services.

1) Previously, malware domains tend to be easy to spot. The URLs tend to be less and less sensical as it is difficult to get a domain name that looks close enough to a legit site.  However, with URL shortening you are using a well-known and "safe" domain.  There is generally no way (for most services at least) to see the destination URL that a shortened URL points to.  For twitter and facebook, URL shortening services are common and no one thinks twice of them.  E-mail has become a less reliable means for phishing because of the anti-spam services involved. With URL shortening, it becomes easier because it "looks legit". It's little more than an accepted form of obfuscation.

2) Most URL shortening services are not highly financed (nor do they need to be). If a URL shortening service was penetrated, it would be easy to take a popular shortened URL and modify it to point to malware instead the intended "clean" site.  This is what happened with Cligs.

The bad news: We are behind the curve on dealing with this threat.

The good news: Some simple steps could be used to help prevent this.  "Blocklisting" malicious domains from URL shortening, deactivating known malicious shortened URLs and more real/near-time monitoring of what URLs get shortened to shorten the detection cycle.

John Bambenek
bambenek /at/ gmail /dot/ com




262 Posts
ISC Handler
Jun 16th 2009
that's what they get for allowing people to edit the URL's after they've been entered into the system. last i checked, tinyURL doesn't allow editing.
You should always preview the domain before accessing it. TinyURL supports it (go to instead) and for the others you can verify at:

It will retrieve the real url and check against google safe browsing and Site advisor.

Sign Up for Free or Log In to start participating in the conversation!