back to article Scammers use Google Maps to skirt link-shortener crackdown

Scam sites have been abusing a little-known feature on Google Maps to redirect users to dodgy websites. This according to security company Sophos, who says a number of shady pages are being peddled to users via obfuscated Maps links. According to security shop Sophos scammers are using the Maps API as a defacto link- …

  1. terrythetech
    Facepalm

    Why? Just why?

    Why do we need link shorteners anyway. Handy if you have to type a URL in by hand but it's a machine that is happy handling long URLs in links. I want to see where the link goes FFS. That and email links where the underlying URL doesn't match the text that looks like a URL. Even UK police do that in their email warnings about scams.

    1. JeffyPoooh Silver badge
      Pint

      Re: Why? Just why?

      Maybe because of http://www.thelongestlistofthelongeststuffatthelongestdomainnameatlonglast.com/wearejustdoingthistobestupidnowsincethiscangoonforeverandeverandeverbutitstilllookskindaneatinthebrowsereventhoughitsabigwasteoftimeandenergyandhasnorealpointbutwehadtodoitanyways.html

      1. JeffyPoooh Silver badge
        Pint

        Re: Why? Just why?

        = https://goo.gl/LZsB6b

      2. Anonymous Coward
        Anonymous Coward

        Re: Why? Just why?

        But is that not what DNS is for? If your Human readable version of the ip lookup table to your webpage is not Human readable... you.are.doing.it.wrong.dotcom!

      3. JeffyPoooh Silver badge
        Pint

        Re: Why? Just why?

        Here: https://tinyurl.com/YouGuysNeedThisNow

    2. Coen Dijkgraaf

      Re: Why? Just why?

      One of the reasons the URL shorterners came because of character limitations of some messaging systems, e.g. Text messages & Twitter.

    3. Daggerchild Silver badge

      Your crime: Being Other

      It's a good thing people don't often get together to decide complicated matters that they have no actual experience or involvement in using or operating.

      Imagine the trouble that could cause!

    4. BongoJoe

      Re: Why? Just why?

      It's handy when some forums, email clients, messaging systems break the VeryLong URL into bits to fit on each line and only the first bit is given the anchor tag which borks the whole URL business.

      I don't use URL shorteners and I never click on them anyway. If I can't see and know where they are pointing at I won't "engage the user experience" </MarketingMode>

    5. Anonymous Coward
      Anonymous Coward

      Re: Why? Just why?

      > "Why do we need link shorteners anyway."

      Ever tried typing in a link to a product page burried half-way down someone's web site, from a printed document? ;) The domain may be short, but the path may be quite long ...

    6. Ol'Peculier

      Re: Why? Just why?

      www.llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch.co.uk perhaps...

      1. matjaggard

        Re: Why? Just why?

        Link shorteners are required because Google ranks things higher if they have keywords in the URL, so you need to have long URLs which are then too long for other locations.

      2. GIRZiM

        Re: llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch.co.uk

        URI/URL should be limited to 8.3

        If it worked for DOS, it can work for the web: www.llanfa~1.co.uk

        No need for link shortening - it's already part of the name.

    7. ridley

      Re: Why? Just why?

      Have you ever been in front of a class and tried to get 30+ students to go to the same long form URL within 10minutes? It is almost impossible. Herding cats is far easier.

      1. Danny 14 Silver badge

        Re: Why? Just why?

        i give students long urls all the time. input them on firefly fornpermanent ones or a word doc on the shared drive for others. it stops mistakes dictating an address as they simply click on it.

    8. Rob D. Bronze badge

      Re: Why? Just why?

      Preferred use:

      https://www.google.com/maps/dir/Menlo+Park+Caltrain+Station,+Menlo+Park, +CA,+USA/San+Francisco+International+Airport+(SFO),+San+Francisco,+CA+94 128,+USA/Young+Ct,+San+Francisco,+CA+94129,+USA/@37.6234356,-122.4719716 ,11z/am=t/data=!4m23!4m22!1m5!1m1!1s0x808fa4ae453a8637:0xa0d39978eada388 a!2m2!1d-122.1819487!2d37.4541935!1m5!1m1!1s0x808f778c55555555:0xa4f25c5 71acded3f!2m2!1d-122.3789554!2d37.6213129!1m5!1m1!1s0x808586e29c7dfb41:0 xb3504aa846853a9f!2m2!1d-122.4787696!2d37.7922186!2m2!2b1!3b1!3e0?shortu rl=1&dg=dbrw&newdg=1

      Who could possibly want to use: https://goo.gl/maps/nyJ2bwBj3xT2

      The issue is not utility - these things are useful. The issue is security and trust.

  2. Bert 1
    Facepalm

    Links are already short

    If your going to shorten the link to something unreadable and unmemorable, why not cut out the middleman?

    You could use something like https://255.255.255.255 for instance.

    1. ratfox Silver badge

      Re: Links are already short

      The IP address is not guaranteed to always point at the same website, and many websites can have the same IP address.

      In any case, the path after the domain name is often much longer than the domain name.

    2. Field Commander A9

      Re: cut out the middleman

      because multiple websites are routinely hosted on a same IP and only distinguished by domain names.

      1. Korev Silver badge
        Joke

        Re: cut out the middleman

        That's easy to work around, just set them to 127.0.01

  3. Anonymous Coward
    Anonymous Coward

    If the URL shortening service dies or goes offline, you have no idea what the link points to by looking at it.

    For instance, bit.ly: the .ly TLD is controlled by the Libyan government. I think there was a period when that went offline due to the chaos in that country at the time.

  4. TrumpSlurp the Troll Silver badge
    Paris Hilton

    API?

    The article says that scammers are using the Google Maps API. Then further down it says that it is difficult to police because it doesn't rely on a Google API.

    I is confused.

  5. Charles 9 Silver badge

    URL shortener wouldn't have such a bad reputation if you didn't know where you were going until it's too late. If they at least told you up front where you were going (or at the least didn't block look ahead with ad walls), people would be more accepting of them.

    1. phuzz Silver badge

      The only way to find out where a particular short-URL goes is to try and access it, so either your browser would have to try and access every URL in a page before you read it, or there'd have to be a list of URL shorteners so that the browser only had to check out some of the links on the page.

      1. Rob D. Bronze badge

        Browser add-on like Unshorten.link or similar?

    2. xza-fr
      Linux

      my URL shortener does let you see where you're going

      curl https://xza.fr/$/TESTX

      ^ that's as simple as it is with my new URL shortener: xza.fr

      - all links expire after 100000 epoch seconds (approx 1 day)

      - TLS v1.2 + perfect-forward-secrecy only with HSTS preload embedded in your browsers soon

      - 100% javascript free

      - open source

      - no logs, other than default nginx settings !

      - read more: https://xza.fr/public/htm/about.htm

      i started working on it before google announced they were shutting theirs down !

  6. handleoclast Silver badge

    Maybe

    Maybe there's a market for a URL-shortening service that doesn't auto-redirect. Instead it pops up an alert giving the real target and asks if you want to go there.

    It wouldn't help the gullible and/or stupid, who'd say "Yeah, of course I want to go to fakebank.com" or those who automatically click through warnings. But for some of us it would be useful. It might even be a way for goo.gl to keep going.

    1. Charles 9 Silver badge

      Re: Maybe

      That's what I was bringing up earlier. If they spelled it out for you, then you have a chance to change your mind. It's the redirect-you-blindly that makes it all dangerous. If there weren't a legitimate need to handle moves, we wouldn't have to keep redirects in the HTML standard.

    2. General Purpose

      Re: Maybe

      TinyURL offers previewing, though they don't promote it as much as they might. https://tinyurl.com/ybdhn32u autoredirects but https://preview.tinyurl.com/ybdhn32u will take you to a tinyurl.com page showing the destination.

      It seems individual users can automatically preview all tinyurl links if they install a cookie in their browser. https://tinyurl.com/preview.php

      1. MrAnonCoward43
        Holmes

        Re: Maybe

        bit.ly does too, just add a plus symbol (+) on the end of any bit.ly link and you can see the full redirect url, the meta info for the redirect page and the stats for the number of clicks. Makes for interesting viewing when seeing how many people click on some dubious links on Twitter etc.

    3. 6491wm

      Re: Maybe

      Tinyurl has the option to turn on previews so if you receive a tinyurl link you see the full URL giving you a chance to make your own mind up on whether to follow it.

      Not a feature useful for scammers though so they probably don’t use tinyurl ;)

  7. doublelayer

    I use a different system

    I know that short links are usually somewhat helpful, so I usually reserve a directory at root of the web server for such a system. For example, example.com/url/* is a shortened link, and I can make it clear what they'll see at that page and logical. People still know that it's my site they're contacting, and although the links may be longer than some of the shorteners out there, they can be quite short because there is no competition that drives up the key length and they will fit into tweets or short messages should someone want to send them.

    1. Charles 9 Silver badge

      Re: I use a different system

      That's a thought at least. It could even be automated somewhat so that each public-facing page has some kind of random key to it which can then be internally spidered and symlinked in some "key" directory off the root to allow for shortened SMS-friendly URLs that still give you a good idea where you're going.

  8. Anonymous Coward
    Anonymous Coward

    Short URLs? Who needs em?

    Damn hipsters and their confounded blazing link shortening widgets!

    In *MY* day there were only 10 websites! And we knew them all by heart! Short URLs?? Let's talk about the short attention spans these under 40 hipsters have!

    1. Charles 9 Silver badge

      Re: Short URLs? Who needs em?

      And I take it you had to hand-chisel every single address every time you had to change sites. To say nothing of virtual keyboards that kept misreading your touches and tiny little micro-keyboards too small for fat fingers...

  9. Anonymous Coward
    Anonymous Coward

    dangerous weapon when misdirected

    marketing and staff training in a uk retail bank I used to work at was using shorteners for <internal> urls.

    they didn't think of of the fact that the url shortener might get hacked and someone spin up a perfect copy of the website (as tends to happen with bank sites, don't y'know) with god knows what on it. that and putting info about internal DNS on public shortening service. fortunately infosec found out about it and killed it.

    AC for the obvious reason.

  10. Aitor 1 Silver badge

    Nothing wrong here

    Just shorten these comments like this:

    http://www.5z8.info/taliban-meetup_l1i6pi_racist-message-board

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019