Phishing with TinyURL.com - A True Story

Phishing attacks come in too many varieties to list here, but they all share a common purpose in that the scam is designed to steal your personal information. With a phishing attack, you could be tricked into giving up your username and password to a website, or even go so far as to give away banking and credit card information. Sometimes the phishing scheme is performed by thieves wishing to get some kind of financial gain, and other times phishing is done as an attack on a particular website in order to steal account info and discredit users.

Just recently, I was the victim of a phishing attack designed to steal login information for a website with thousands of users. For security reasons, I will not name the site, because what happened with the phishing attack could have been done anywhere. It is somewhat embarrassing for me to admit that even I fell for the phisher’s scheme when you consider how many articles I’ve written here about computer security. You’d think I would know better, and I do know better, but this particular attack was designed to prey upon the users of that site in a way that even caught some employees off guard.

The phisher launched the attack by sending a seemingly innocent message to several dozen private email addresses belonging to members of the site. These email addresses were all readily available from the user’s profile page on the site, so it was public contact information. On this site, it is a fairly common thing for users to email each other links to other content within the site because there is no internal messaging system. This email contained a link that had been shortened using TinyURL.com.

The TinyURL link took the user to the site, but had an additional line of code that processed a JavaScript application that captured the site’s cookie data (username and password) and placed it in a text file on another website. In this case, it was a free website service. By clicking on the TinyURL link, I gave the phisher my login and password to the site, via my own cookie. The cookie data is encoded in a way that you can’t just read it like plain English, but all you have to do is use a cookie editor to copy and paste the captured data into another cookie and the site will show you logged in as whoever’s cookie data you used.

What really burns me up about all this is that I did verify the destination of the TinyURL link and it actually looked good. I used two different ‘decoder’ sites that let you preview where the link points to before you actually click on it, and both decoders showed the link as going to the correct site. What the decoders did not show was the additional information that included the JavaScript and cookie capturing code. Even though I tried to verify the TinyURL link, I still had no way of knowing what was going to happen when I decided to click the link. It was then that I saw the full link with the additional cookie capturing code in the window at the top of my browser, and I knew that I had made a huge mistake.

As soon as I realized what was happening, I started getting word out that a scam was under way and that anyone who had clicked on the link should change their password immediately. I then notified the free website service what the user was doing and also notified the free email service from which they had sent the original message. The free website was shut down soon thereafter, but the last time I checked that cookie capture text file, there were over two dozen people who had clicked the link. As of this writing, I don’t know of anyone who actually had any problems on the site, thanks to some security changes enacted to prevent this person from doing anything with the phished account information.

How will I avoid this sort of thing in the future? I have now made it my personal policy to never click on TinyURL or any other link shortening type web links, because you just don’t know what you’re clicking on. I understand the purpose of shortening URL’s for sites like Twitter or for sharing links between mobile devices, but I just don’t think the convenience is worth the potential risk. Sometimes even ones you think are safe - like when you actually use a decoder to verify the link - can still contain malicious code.

If someone sends you an email with a link that uses any kind of link shortening service, my best advice is for you not to click on it. Even if it is from someone you know or someone you think you know, you should not take the chance. What happened here is a good example why maybe you shouldn’t store login and password information in your browser. It is a hassle to have to log into every website you visit, but it is a much more secure way of doing things.