AVG LinkScanner can detect malicious short URLs

URL shorteners may be handy for your tweets on Twitter. But they're also known security holes since they don't display the actual address of your destination. A free tool from security vendor AVG may provide a solution.

AVG has updated its free LinkScanner tool to detect malicious pages hiding behind shortened URLs. The company said the tool checks the actual destination of each URL link to make sure the page is legitimate.

More than a dozen URL-shortening services abound on the Net, including TinyURL and Bitly. With its 140-character limit, Twitter automatically shortens URLs in each tweet via Bitly. Other services like WordPress also include a built-in URL shortener.

But Web browsers don't display the true address of a shortened URL, so you have no idea whether or not the destination page is safe. Hackers have easily been able to use the obscure nature of shortened URLs to conceal hazardous Web pages behind them.

"The problem with shortened links is that they usually don't bear any resemblance to the original URLs, which means that users don't always know what they're clicking," said Roger Thompson, chief research officer at AVG Technologies. "People click with the intention of going to a specific site, but the link can be easily hacked to send people to a site containing Trojans, spyware, rootkits, and other malware instead."

AVG, formerly known as Grisoft, bought LinkScanner in late 2007 as part of a larger acquisition. The tool has already proven helpful to Web surfers by analyzing Web pages behind each link that is either clicked on or typed into the browser.

Other solutions do exist to reveal the truth behind a short URL. The Web site LongURL can display the long version of a short URL. A Firefox plug-in called LongURL Mobile Expander can also translate from short to long.

But according to AVG, LinkScanner is now the only security tool on the market that can find poisoned Web pages behind a short URL. The company says it does not rely on blacklists and instead checks each link in real time.

[n3td3v]

This is a ridiculous idea, it should be the folks who offer the shortening services who check every link, not hundreds of thousand individual clients.

We in the security industry need to put more pressure on the short url guys to improve security standards, and if they ignore security industry requests, we should bring in legislation to force them to.

[alancarlbrown]

absolutely. in fact, this should be a prime differentiator for these services

[brolouie]

I absolutely agree with every word you said. It's their (Twitter, et al) responsibility to secure what they themselves automatically change for their users.

[willbw]

Yea, AVG and AVAST also detect anything that uses a winsock socket in VB as a trojan so it shows how well they consider there actions.

[tektaktyks]

im using avg (few years) but i can get a 1 year of free kaspersky 2010,is kaspersky better?

[egyption1]

i have not licenseumber for avg free