Select Page

Researchers have discovered that micro-blogging service Twitter is apparently working on a system for filtering malicious URLs, including shortened ones, but it’s a work in progress.

We tried it.

It’s a work in progress.

Shortened URLs are handy in Twitter posts, which are limited to 140 characters. Unfortunately, they are also handy for spammers and botnet operators to obscure malicious links in email.

Mikko Hypponen, chief research officer at the F-Secure security company in Finland, blogged about Twitter’s filtering August 3. Twitter has made no announcement and researchers believe the company is working on the process.

This much is known about it at this point:

— it’s using Google Safe Browsing API to filter links to malicious Web sites listed on Google’s blacklists of sites connected to phishing and malware.

— it stops automatically registered or compromised legitimate accounts from Tweeting known malicious links.

— if the “www” subdomain is removed from a URL, it isn’t filtered.

— a URL with “http://” isn’t filtered.

— the system isn’t linked to StopBadware.org’s database of nearly 400,000 reported malicious sites

— an alert is triggered only for URLs shortened using bit.ly. TinyURL-shortened links are not filtered.

In July, the dark side discovered the potential of micro-blogging sites and the Koobface worm had a field day spreading through automatic Tweets generated from hijacked accounts.

The new system isn’t really advanced at this point, but, a work in progress is better than no security at all.

We’d really like to see Twitter’s system filter URLs with the StopBadware.org’s clearing house and maybe some of the Sunbelt Software ‘Threat Track™’ Data Feeds.

Our demo

To see just how bad the Twitter jungle was, we set up a Twitter account…

… and immediately got several followers, April and Lisa. Wow! Cute girls are interested in ME! April looks, well, sort of animated. She must be psychic though, since she put in a request to follow ME five hours BEFORE I set up my new Twitter account! (Do I hear someone whispering “bot”)?

I checked out her web site by clicking on the xurl.jp-shortened URL. It resolved to xxxblackbook.com. Hmmm, an adult dating web site. There certainly appear to be some uninhibited folks advertising for new friends there, but April doesn’t seem to be among them.


StopBadware.com said xxxblackbook.com was a place where you might want to tread carefully. Sunbelt Labs found that it was associated with malware. They have at least one unsatisfied customer on the ripoff report too.


So, clearly, Twitter’s filtering is a work in progress.

Story here.

F-Secure blog post here:

Tom Kelchner