A Defensive Computing Checklist    by Michael Horowitz

NOTE: I gave a presentation on Defensive Computing at the HOPE conference in July 2022

HOME | Full Site Index | Domain Names | VPNs | iOS | Android | About | Rules of the Road | DC Presentation |

LINK EXPANDERS, URL EXPANDERS

The problem with URL shorteners (aka link shorteners), such as bit.ly, Twitter's t.co and Flipboard's flip.it, is that they hide the ultimate destination of a link. You can check where a shortened link actually leads using assorted Link Expanders (aka URL Expanders).

November 12, 2022: This topic used to have a single list, now there are two. This happened when someone I know was sent a malicious email message that included this link (without the spaces of course)
    https:// bit.ly / 3tlrN22

Testing it with different link expanders showed different results. This link gets re-directed more than once. The first re-direct is to sherlock.scribblelive.com and then to pollongq.world before ending up at google.com, of all places. Some link expanders only show the ultimate destination, hiding the intermediate re-direct URLS. Better ones showed the intermediate re-direct locations.

This is an important difference as the ultimate destination was a safe web site, the malicious URLs were in the middle. The re-direction is apparently programmed to tell the difference between an URL expander and an actual victim. Thus, an URL expander that only shows the ultimate destination is, in effect, lying.

EXPANDERS THAT SHOW INTERMEDIATE URLS

1. urlscan.io is my favorite (see below for more)
2. expandurl.net   See screen shot
3. Redirect Checker from WhatsmyDNS.net

EXPANDERS THAT ONLY SHOW THE FINAL URL

• urlex.org
• unshort.link
• linkunshorten.com
• checkshorturl.com
• URL unshortener from WhatsmyDNS.net

The URL expander GetLinkInfo.com was in a category of its own. It showed the first re-direct, then suffered an error.

WEBSITE RATING SERVICES

Another aspect of this is whether the final destination of a shortened URL is malicious or not. Some URL expanders include this information but these services are dedicated to evaluating websites. And, they also do Link Expanding.

VirusTotal is, perhaps, most famous for evaluating virus software on Windows, but it also offers evaluations of website safety from 90 different sources. In my test case, 4 sources said the URL was malicious and 86 said it was safe. However, it is not clear which URL they are evaluating. It reports that the ultimate destination is google.com which, when evaluated on its own is considered perfectly safe by all 90 sources. The re-direction chain is available in the Details tab.

The best result, with my test URL, was from urlscan.io. See it here. URLscan was the only service that did not report google.com as the ultimate destination. It did show the same first two re-directs (sherlock.scribblelive.com and pollongq.world) as all the other services, but it showed the ultimate destination as trytips-4result.world which it flagged as malicious. You can see the re-direction trail here and here.

- - - - - - - - - - - - - - - - -
In January 2020, Simon Frey (of unshort.link) introduced an extension for Firefox and Chrome that checks short links against a blacklist and prevents them from tracking you.

 

Copyright 2019 - 2023