I spend a lot of time on social networks and have become much more savvy to the tricks that scammers try to use to gain access to your online accounts. I wanted to write this quick post to raise awareness about the potential dangers of clicking unsolicited shortened links. Since the advent of twitter and its use of 140 character messages, the use of URL shortening services that allow users to put links into individual tweets has sky-rocketed. I do it as a matter of course on my twitter feed, for instance using the built in WordPress URL shortener to publicise blog posts such as the one you are reading now. As long as you know and trust the user who has supplied the link there is little to be worried about. But last night, I was Direct Messaged (DM’d) by someone on twitter who I recently started following, but did not personally know. The message made me instantly want to click it and find out more…
But I didn’t, because the message didn’t feel right coming from that person and furthermore I did not recognise the URL shortener used such as fb.me, is.gd, t.co, bit.ly for example, that you would usually find. Also nowadays you can usually hover over a shortened link and the service you are using, twitter, facebook etc, will give you an automatic preview. This was unavailable on this link – another Red Flag. The final indicator of fishyness was that I couldn’t DM the user back, because they weren’t even following my account – very odd for someone who appears to know me as intimately as indicated in the DM. So I contacted the user and asked if they’d sent me the message and they immediately apologised and said they hadn’t. It appears that someone had gained control of their account and DM spammed their follower list. So I looked into the link a little further using the link expanding service longurl.org to find where the link actually sent you, without having to click the link itself. This was the result:
From that you can see the final long URL ending in twitter-login, no doubt a fake page and a common phishing scam. If you click on the link, it would take you to a page that looks just like the official twitter login page, which you would then supposedly enter your username and password to view the link. If you were to do this, the 3rd party would now have all the information needed to do whatever they liked with your twitter account. Not only this, if you use the same password for other social networks you are at further risk of being compromised…
I then posted about this on my personal Facebook account and it seems that others had actually clicked on similar links and had got to the fake twitter login page, but recognised it for the scam it was and went no further. Unfortunately is seems that the account that I received the original DM from had fallen for this scam. But no real harm done. A change of password and a lesson learnt is the result in this case.
As an add-on, even after this I almost slipped up talking about this on facebook – I copied the entire original DM into my facebook post including the full dodgy shortened link, which facebook in its automated beauty decided to give a big fat hot-link to when I completed the post. I Very quickly removed the link!
In the grand scheme of things this is not a particularly malicious use of shortened links, but the unsuspecting user could be forwarded to any number of more aggressively booby-trapped websites and is something which every user should be aware of.
N.B. If you look closely at second image, I actually used a re-shortened version of the link, (that I used to communicate with the original participant) to find the destination URL through longurl. It means I have to write this little clarification, but also shows that longurl.org is actually very effective at doing what it says on the tin.
Dave Cropley 
Interesting post Dave. I haven’t bothered getting into Twitter but it does seem to be harder to spot fakes when you compare it to something more usually lengthy like email and therefore potentially quite risky. If I ever do I will bear your advice in mind. Over the last two years I’ve been struck by the amount of email I have been getting from life class members both current and from the dim distant past who’ve had their emails hacked into. (A lot of people, as I used to have their email set up to automatically put whoever it is they are contacting automatically into their address book.) There was a time when it was about 3 or 4 a week. Not exactly vast amounts but enough to make me think twice about Hotmail in particular which is a pity because it’s got currently got some pretty nifty features.
Hi Will, nice to hear from you :D
Twitter is a very much misunderstood beast – I am a big advocate for its usage. Its by far and away the best source for live information on whats happening anywhere in the world and a fantastic publishing/networking tool to boot. Don’t be scared of it! The scams are the same across any platform, twitter is no better or worse than the other social networks for being targeted by scammers.
I’ve used many email clients including hotmail and without a shadow of a doubt gmail is the best by a very, very, very long way. i would advise anyone to go with Google.
Looking forward to catching up with you in the new term – see you there!
good point ^^