hypnosec writes “Cyber-scammers have started using ’1.usa.gov’ links in their spam campaigns in a bid to fool gullible users into thinking that the links they see on a website or have received in their mail or newsletter are legitimate U.S. Government websites. Spammers have created these shortened URLs through a loophole in the URL shortening service provided by bit.ly. USA.gov and bit.ly have collaborated, enabling anyone to shorten a .gov or .mil URL into a ‘trustworthy’ 1.usa.gov URL. Further, according to an explanation provided by HowTo.gov, creating these usa.gov short URLs does not require a login.” Which might not be a big deal, except that the service lets through URLs with embedded redirects, and it is to these redirected addresses that scammers are luring their victims.
ryzvonusef tips this quote from TechCrunch about a tit-for-tat exchange between Google+ and the creator of The Oatmeal webcomic: “This summer, the artist (Matthew Inman) wrote that Google+ comment threads sound like *crickets*, poking fun at the social network’s lack of engagement. He also criticized not being able to ‘set up a fancy profile URL so I don’t have to link people to http://plus.google.com/blergasdf1234thimbleturdorgasm99meatpoopypoopxv9donkeypie ‘ — a made-up, ridiculously long string of random characters. … In retaliation, the Google+ team didn’t cite its user growth stats or give an excuse for why there are no custom profile URLs. … Instead, they just redirected the vanity URL back to The Oatmeal author Matthew Inman’s Google+ profile. Congrats, Matt, you’ve now got ‘donkey pie’ at the end of your own special Google+ vanity URL.”
When StumbleUpon did its big rebranding, reorganizing and redesign late last year, we figured that the 20-million-plus discovering engine was done making big changes. At least, for a little while. Boy were we wrong.
The newest SU update removes all direct links. Previously, once you were inside StumbleUpon, you could “X” out the page and go straight to the original site. Now if you’re logged in, you have to say in the iframed version of the site. There is one way to get out, but it’s super clunky.
As you can see, there’s no “X” option. If you want to go to the direct link, you’ll have to copy and paste out the link above and delete the StumbleUpon URL. Here’s what one of those clunky SU link looks like:
Would you really take the time to copy and paste the tail of that link into another tab or browser? That’s what it’ll take to get the direct URL.
StumbleUpon is trying to build up its ecosystem, keeping users inside rather than sending them out to the Web and other social sites. By keeping everyone inside, StumbleUpon will no longer offer prized SEO value that it once did. This will negatively impact referral traffic, especially for sites that rely on StumbleUpon for that nice traffic jolt.
Remember when this happened at Digg? Users revolted, and then-CEO Kevin Rose decided to make the DiggBar optional. Rose even said that framing content “is bad for the Internet.”
bonch writes “Google will begin redirecting blogs to country-specific URLs. Blog visitors will be redirected to a URL specific to their location, with content subject to their country’s censorship laws. A support post on Blogger explains the change: ‘Over the coming weeks you might notice that the URL of a blog you’re reading has been redirected to a country-code top level domain, or “ccTLD.” For example, if you’re in Australia and viewing [blogname].blogspot.com, you might be redirected to [blogname].blogspot.com.au. A ccTLD, when it appears, corresponds with the country of the reader’s current location.’”
A phishing attack aimed at new Mac users was launched the week after Christmas looking to obtain the credit card information of people signing up for a new Apple ID. The well-timed attack tries to redirect users signing up for an Apple ID to a phishing site designed to look like the Apple sign-in page asking users to update their account information.
Security firm Intego found the attack and posted the information on its company blog. The phishing email comes from applied@id.apple.com. This should give users their first pause as all Apple emails come from the @apple.com domain. The next red flag is that the URL that users are getting redirected to is not an apple.com email address but rather goes to a numbered IP address.
Source: Intego
The sign-in page asks for users profile information, including the credit card information that is tied to an Apple ID account.
One of the first rules users should be aware of when checking for malware and spam in email is to hover over a suspicious URL with to see the location of the URL they are about to click. Tell tale signs of phishing, malware and malicious sites are when the URL does not appear to be headed to an official page from the company in question.
The phishers behind this attack have likely been sitting on it a while, waiting for when users received new Apple products during the holiday season. Malware makers are very sensitive when it comes to the timing of attacks. Zero day hacks are often stockpiled and unleashed when the impact of them will be optimal. Other malware and spam attacks are saved up for big news stories, such as what was seen during the Japan earthquake in 2011 or the death of Osama bin Laden. Spammers will then hit search engines with poisoned results and attempt to fill email inboxes with links to malicious sites. While the phishing attack aimed at Apple users was not a zero day attack, it is an example of phishers knowing when the best times are to launch an offensive.
Did you encounter an email similar to this last week? What other phishing attempts have been made against your inbox recently? Let us know in the comments.
Facebook’s recent move to scan for malicious URLs sounded like a pretty good idea, but itwbennett writes with word that it’s already been bypassed.‘Hatter,’ a member of hacking think-tank Blackhat Academy, provided a live demonstration, which involved posting the URL to a JPEG file on a wall. Facebook crawled the URL and added a thumbnail image to the wall post, however, clicking on its corresponding link actually redirected users to YouTube. This happened because the destination page was able to identify Facebook’s original request and served a JPEG file. Earlier this week, Facebook signed a partnership with Websense to use the security vendor’s cloud-based, real-time Web scanner for malicious URL detection. Blackhat Academy has now provided proof-of-concept code, which, according to its advisory, can be used to bypass it.”
Part of the series of music and entertainment related startups backed by Lady Gaga’s manager Troy Carter, Bre.ad is a URL shortner that hopes to be your own personal billboard. The concept behind Bre.ad is that users can create “toasts,” or their own personalized advertisements for causes, brands or themselves and gain exposure for those toasts by shortening and sharing links using the service (for example). Users can also choose to share other people’s toasts through the site.
Users who sign up for an account on Bre.ad.com can upload their custom image and message and can shorten a link with Bre.ad by either typing Bre.ad/ in front of the or using the interface on the site. When users share the link on Facebook and Twitter, their friends and followers will see their “toasts,” or the Bre.ad billboards, for five seconds when they click on the link. Users can also follow people on Bre.ad to keep tabs on their link sharing activity onsite.
Founder Alan Chan tells me that despite a glutted URL shortener market, demand for a platform that allows you to market products through sharing links is high and 10 K people signed up in the first four days. Beta users shared a Bre.ad link every 10 to 15 minutes on Twitter and the initial beta testing crop included Lady Gaga, and 50 Cent.
While there are plenty of alternative URL shorteners such as Bit.ly and Goo.gl and even Twitter’s own offering, Chan says that the competitive advantage of Bre.ad is the digital billboard/ad part, what he calls a “visual extension of your Twitter feed.” He likens the startup to cross between About.me and Bit.ly
Chan hopes eventually to monetize the service by providing premium features like user acquisition analytics, optimization and other perks to people who want to promote content through the URL shortener, “If you’re a clothing company you can put your messaging in front of a cool music video … If I’m following you then I care about the things you care about, it’ s like a visual tweet at that point.”
Twitter has been developing a lot of new core products recently that used to be filled through third-party applications. Yesterday, the company introduced a new feature to Twitter.com – automatic link shortening.
If you wanted to shorten a link within Twitter.com before, you had to use a link shortening service like Bit.ly or TinyURL and paste the link into the edit tweet field. Twitter will now truncate URLs that are longer than 13 characters and give them a t.co ID (Twitter’s URL shortening handle) while keeping the original URL intact so you know where the link originated.
Twitter will not provide analytics for its URL shortening service. In a blog post announcing the new service, Twitter said that “you can continue to use your favorite third-party link shortening services” if you want analytics for short URLs.
Security was also on Twitter’s mind. All links shortened through Twitter.com will be checked against the company’s database of malicious URLS. Twitter will shorten URLs to 19 characters so that they will contain the primary stem of the link that is being shortened. One of the primary problems with short links on Twitter is that third-party links from services like Bit.ly could come from anywhere. Many publishers use custom or vanity URL shorteners to avoid the problem. Google also allows publishers to shorten URLs through Goo.gl.
There are also spammers to worry about. Last week it was reported by security company Symantec that spammers are creating new and sophisticated ways to use public URL shorteners to redirect their phishing targets to malicious websites.
This is another rollout of a core feature by Twitter that was filled primarily by a third-party service. Last week the company launched hosted photo sharing, going after the likes of TwitPic and YFrog along with better search functions. This week it is URL shortening. What core service will Twitter unveil next week?
This may be one of the first features that Twitter is implementing from its acquisition of TweetDeck. The Twitter desktop client has shortened URL within the edit tweet field almost since its inception.
In another step towards filling all its holes, Twitter has just announced its own link shortening service which starts rolling out today. The Twitter link shortening service will pass through t.co and shorten links to 19 characters, still allowing users to see what site the links are pointing towards (see above).
From Twitter support, on how to use the new shortener.
Start typing or paste a long URL into the Tweet box.
After you’ve entered the first 13 characters of a URL, a message will appear at the bottom of the Tweet box, letting you know that the link will appear shortened. (Fig. 1)
Notice that even if you’ve reached the character limit, you can continue to add text to the URL with no consequence.
Once the Tweet is posted, it will be assigned a t.co link ID, but the link will appear as a shortened version of the original URL, so people who see your Tweet will know the site they are going to (Fig. 2, above).
Yep! It’s now that easy.
In an afterthought, Twitter users are still referred to third party apps like Bit.ly if they want analytics surrounding their links. [Insert well-trodden assertion that Twitter is breaking the hearts of its developer ecosystem here.]
When StumbleUpon did its big rebranding, reorganizing and redesign 
A phishing attack aimed at new Mac users was launched the week after Christmas looking to obtain the credit card information of people signing up for a new Apple ID. The well-timed attack tries to redirect users signing up for an Apple ID to a phishing site designed to look like the Apple sign-in page asking users to update their account information.
Part of the 
Twitter has been developing a lot of new core products recently that used to be filled through third-party applications. Yesterday, the company introduced a new feature to Twitter.com – 
In another step towards filling all its holes, Twitter has just announced