When I read the tweet announcing a free webinar on small business cyber safety, I wanted to learn more about it.
I’ve attended several of the organization’s webinars in the past, so I knew I would walk away with actionable security tips.
But when I selected the shortened link in their tweet, something unexpected happened.
The link went to one domain I didn’t recognize, which forwarded to another domain.
And then another domain.
Until it finally displayed a link to a survey site.
Which had nothing to do with the webinar.
The shortened link forwarded to four different domains!
None of the domains were owned by the organization announcing the webinar.
I knew something was wrong.
After visiting their website, I found the page for the upcoming webinar.
And replied to their tweet asking about the link:
Is that the correct link? The https://t.co/oj0Ozpw7qo link in that tweet redirects to 4 different domains before sending me to a survey site. Is this correct link for the Sept 11 event? https://t.co/a5vzB2iTXQ
— Deborah Edwards-Onoro (@redcrew) August 20, 2018
Their reply was quick.
It is not. Thank you for alerting us. All promotion including this link is being taken down immediately.
Oops! Glad they acted quickly to remove the malicious link.
Did you notice the organization was StaySafeOnline, powered by the National Cyber Security Alliance?
I have no idea what happened or how an organization dedicated to helping people learn how to stay safe online managed to have a link that redirected to four different domains and not their own site.
Yet it proves one thing: a malicious shortened link can happen to anyone or any organization.
It’s up to you to stay diligent.
Shortened URLs Save Time, But…
So what do you do?
Shortened URLs may save characters when you’re sharing a URL in your blog post or presentation.
But there’s good reason to be cautious, as demonstrated by what happened to me for the security webinar.
Shortened links can send you anywhere.
And that location could be the exact spot a hacker or spammer wants you to visit, so they can install a:
- Tracking app
on your digital device.
Another scenario: a shortened link could be pointing to an 2GB PDF file that is immediately downloaded.
Which might not be an issue on your desktop.
But if you’re on a mobile device, and your expectation was the link was directing you to a web page, you’re going to be pretty frustrated with a 2GB download eating up your monthly data plan.
You want to take steps to protect yourself.
Read on to discover three methods to uncover the original site a shortened URL is pointing to.
Three Ways to Expand Shortened URLs
You’ll find a slew of free sites that expand shortened links. I’ve reviewed over a dozen and these are my top URL expander sites.
1. Link Unshorten
I discovered Link Unshorten earlier this year and it’s become my favorite site for expanding shortened links.
First, it works flawlessly on desktop and mobile.
I come across many shortened links when I’m reading on my smartphone. Link Unshorten makes it straightforward to quickly discover where the shortened link will take me.
Second, Link Unshorten provides a site description, drawn from the meta description of the page. I know more about what I can expect to find on the page.
Third, five different security checks are conducted on the page, with links to the results for your review. Handy, when the expanded link points to a domain you’re not familiar with.
Fourth, the results page includes a screenshot of the shortened URL page. Granted, the screenshot is blurred, but you get a preview of the page’s visual design.
The free Unshorten.It site is straightforward to use.
Add the shortened URL to their Unshorten.It form field and you’ll quickly receive the expanded URL, along with other helpful info including:
- Page description
- Safety ratings
- Screenshot of the page
- HPHosts blacklist listings
Sadly, I’ve noticed lately Unshorten.It doesn’t always provide the screenshot.
Similar to the other two options, you enter the shortened URL you want to expand and LinkExpander displays the original site URL.
In addition, LinkExpander offers:
- Thumbnail image of the URL
- Trust Level of the URL
- Description or keywords, if they exist on the original site
- Whether URL is listed in SpamCop, which lists blacklisted sites
Selecting the Trust Level link directs you to SiteAdvisor, a McAfee online safety check, which scans the URL for any safety issues.
When I tested a shortened URL for my own site, the trust level came up with a rating of “Gray.”
Which didn’t make me feel my own site was trustworthy. To me, gray indicates neither good nor bad for a rating.
When I selected the link for the trust level, I received an all safe message from McAfee, which is good.
I believe LinkExpander would do well to change their rating of “Gray” to a better description.
Shortened URLs can easily mask a malicious site and lead to problems. You always want to know where a shortened link is leading you to.
Use any of the three options I described to expand the shortened URLs you see online. I’d love to know which ones work best for you.
Note: in the past, I recommended DuckDuckGo for expanding URLs. Since it’s no longer providing the full URL in their initial results for a shortened URL, I’m not longer recommending DuckDuckGo.
Originally published August 22, 2018