Aug 18, 2011

Unfurlr: What’s Hiding Behind That Shortened URL?

Shortened URLs might save you precious characters on Twitter, but they can be dangerous. When you click a shortened URL, that link could take you anywhere. You can’t necessarily trust the tweet that goes along with it, because hackers are getting smarter every day. Even the most harmless tweet can include a dirty link that installs spyware, malware, adware, or some other scary kind of ware on your computer. Can’t trust anyone these days.

MailChimp’s latest project has one purpose: to protect you from shortened URL attacks. Unfurlr checks a shortened URL and traces its path, so you know where the link came from and whether or not it’s safe before clicking. We gather all the technical details and content from the link, without loading that content into a browser.

How It Works

If you’re considering clicking a shortened URL from Twitter or somewhere else, just copy the link without clicking, and paste it into Unfurlr. When you check a link, Unfurlr will return the original URL.










We’ll also return a list of the steps that trace back there.










Like many of the Rocket Science Group’s products, Unfurlr got its start as an internal experiment. Last year, we noticed an increase in phishing attacks on ESPs. Our tech-support and marketing teams watch MailChimp mentions on Twitter, and we didn’t want anyone clicking an unsafe shortened link. Paranoid employees started asking our technical team to check shortened URLs for them. Our developers got sick of doing that, so they created Unfurlr as a private tool to use within the office. It worked, so we decided we should give it a name and offer it as a free public service.

Our UX team made the site responsive, so it’s easy to use on your mobile device too.










You might be thinking, "But I don’t wanna. It’s an extra step." And to that I say, do it anyway. If it saves you from a virus just one time, it’s worth using every single time you want to click a shortened URL.

What To Look For

A lot of the words you see may as well be Greek. Unfurlr uses the My Web of Trust API to help identify potentially bad domains. The scores are out of 100, and corresponding red and green status lights indicate whether a domain appears to be trustworthy or not. We also display a big warning if My Web of Trust doesn’t have any data for a particular domain—that usually means the domain is either newly registered or newly active.

Also be aware of the number of "hops" a link takes. A lot of phishing attempts go through a URL shortener, and then bounce around several domains before taking you to a particular site. Not good.

As for who’s posting the link, look out for new Twitter accounts that haven’t posted anything else. Oh, and blurry photos of scantily clad women.

Don’t Be Fooled

You might notice that we use Verdana on the Unfurlr site, instead of our standard Helvetica. There’s a reason for that. Check it out:






Notice anything wrong with that link? Looks normal, but it’s actually a trick. Instead of the lowercase L in Mail, I used an uppercase I. Looks the same, doesn’t it? Hackers take advantage of those kinds of ambiguities, which is why our designers went with Verdana for this app. Here’s the same link in Verdana:






As you can see, the difference between those letters is obvious when you use Verdana—it has more distinction between letters, but it still looks nicer than a monospace font. Another trick we’ve seen is "MailChirnp." You might not notice that it’s a combo of "r" and "n" instead of an "m" in clicking a long URL.

At the end of the day, the best advice we can give you is to read the original URL every time.

Somewhat Related:

Blog: Hackers and Spammers Prefer Compromised Email Accounts

Guide: Email Security

Blog: URL Shorteners and Blacklists