Russia’s election hack confirms we need to rethink URL shorteners

GitHub’s new employee IP agreement lets employees use company computers for personal projects.
GitHub’s new employee IP agreement lets employees use company computers for personal projects.
Image: AP Photo/Damian Dovarganes
We may earn a commission from links on this page.

Russian intelligence groups may have pulled off one of the most publicized hacks in geopolitical history, but they didn’t even have to crack Google’s servers to do it. Instead, they duped unsuspecting email users with something you see all day every day online: shortened links.

Spearphishing—sending links via email that open malicious websites masquerading as legitimate ones—was the chief tactic used by at least two intelligence agencies involved in the hacking, according to a new report (pdf) from the US Department of Homeland Security and the Federal Bureau of Investigation. Such links might lead to, for example, a page that looks a lot like a Facebook sign-in. The victim, thinking they got logged out somehow, enters their username and password, which is then sent to the hackers, who use it to gain access to their private information.

According to the report, deceptive shortened links were heavily used by at least one of the two Russian groups that stole DNC emails. This is mainly because link shorteners, such as or Google, obscure the real URL of the target website. In other words, the technology behind getting Rickrolled might have influenced the US election.

This isn’t the first time URL shortening has come under scrutiny. Earlier this year, security researchers showed that shortened URLs revealed personal information, like the sharer’s home address, and provided access to private documents. And while many sites and people originally used short URLs to track data on their links, or to get around character limits on social media, sites like Twitter and Facebook have solved the problems that link-shorteners were made to skirt. Analytics and truncated links now come standard.

So how to defend against these attacks, not just from politically minded Russians, but anyone trying to scam credentials?

The FBI and DHS recommend paying closer attention to the URLs of websites, noting misspellings, and watching out for “.net” suffixes instead of “.com.” That same logic can be applied to senders: If you don’t recognize or trust the person who sent you a shortened link, don’t open it.