Google recently announced it was shutting down Goo.gl, its URL shortener service. Going forward, you’ll find short-link provisioning in Google’s Firebase mobile and web application platform.
So why are we writing about this?
CofenseTM has blogged about attackers using shorteners to mask a phishing link’s destination—typically a link delivering malware or tricking people into giving up credentials on a fraudulent page.
Goo.gl, along with Bit.ly and a few other services, has helped security teams preview the destination of shortened links by adding a + to the end. It’s a big help when investigating links for potential malicious activity.
As Goo.gl retires, will attackers move to other platforms that lack this kind of transparency? Attackers who no longer use Goo.gl links anonymously may well seek alternatives. They have plenty of options.
You have options, too. You can check shortened URLs using link expander services. The expanded URL reveals the true destination. This article in Connect (NYU) is a good overview on using expander services: https://wp.nyu.edu/connect/2017/12/12/the-skinny-on-short-links/
And you can always rely on good old common sense. If an email looks weird, report it. Don’t take any chances!
To learn more about attackers using shortener services to camouflage attacks, read this Cofense analysis.