written by: Finn Orfano•edited by: Bill Bunter•updated: 9/10/2010
I was recently targeted in a phishing attempt to steal my login information by capturing cookie data, and it was all done with a TinyURL link. Here's what happened and how you can prevent this from happening to you.
slide 1 of 5
Phishing attacks come in too many varieties to list here, but they all share a common purpose in that the scam is designed to steal your personal information. With a phishing attack, you could be tricked into giving up your username and password to a website, or even go so far as to give away banking and credit card information. Sometimes the phishing scheme is performed by thieves wishing to get some kind of financial gain, and other times phishing is done as an attack on a particular website in order to steal account info and discredit users.
slide 2 of 5
Even I Got Phished!
Just recently, I was the victim of a phishing attack designed to steal login information for a website with thousands of users. For security reasons, I will not name the site, because what happened with the phishing attack could have been done anywhere. It is somewhat embarrassing for me to admit that even I fell for the phisher’s scheme when you consider how many articles I’ve written here about computer security. You’d think I would know better, and I do know better, but this particular attack was designed to prey upon the users of that site in a way that even caught some employees off guard.
slide 3 of 5
How They Did It
The phisher launched the attack by sending a seemingly innocent message to several dozen private email addresses belonging to members of the site. These email addresses were all readily available from the user’s profile page on the site, so it was public contact information. On this site, it is a fairly common thing for users to email each other links to other content within the site because there is no internal messaging system. This email contained a link that had been shortened using TinyURL.com.
slide 4 of 5
Can You Trust TinyURL?
As soon as I realized what was happening, I started getting word out that a scam was under way and that anyone who had clicked on the link should change their password immediately. I then notified the free website service what the user was doing and also notified the free email service from which they had sent the original message. The free website was shut down soon thereafter, but the last time I checked that cookie capture text file, there were over two dozen people who had clicked the link. As of this writing, I don’t know of anyone who actually had any problems on the site, thanks to some security changes enacted to prevent this person from doing anything with the phished account information.
slide 5 of 5
Avoid TinyURL.com Links
How will I avoid this sort of thing in the future? I have now made it my personal policy to never click on TinyURL or any other link shortening type web links, because you just don’t know what you’re clicking on. I understand the purpose of shortening URL’s for sites like Twitter or for sharing links between mobile devices, but I just don’t think the convenience is worth the potential risk. Sometimes even ones you think are safe - like when you actually use a decoder to verify the link - can still contain malicious code.
If someone sends you an email with a link that uses any kind of link shortening service, my best advice is for you not to click on it. Even if it is from someone you know or someone you think you know, you should not take the chance. What happened here is a good example why maybe you shouldn’t store login and password information in your browser. It is a hassle to have to log into every website you visit, but it is a much more secure way of doing things.