Threat Intelligence Blog

Posted May 27, 2015

In this three-part blog series, we’ll discuss original research presented by Cyveillance phishing experts at this week’s Anti-Phishing Working Group’s eCrime Symposium in Barcelona.

Cyveillance has been offering anti-phishing services for many years, and as a result, we see thousands of phishing attacks every day. With so much data, we are able to examine patterns and trends in the changing ways criminals operate. This week we presented original research at the Anti-Phishing Working Group’s (APWG) eCrime Symposium on how criminals abuse link shortening services to deliver phishing attacks. This blog series recaps that presentation.

It Starts with a Link

For a phishing attack to work, the bad guys need their victims to click on links in emails, usually spam. Most links to phishing attacks are pretty ugly, like this example of a URL used in an attack against the online payment service PayPal:

http://www.(Domain Redacted).com/modules/mod_latestnews/tmpl/

However, some criminals choose to use shortened links in phishing attacks to evade security filters. This also makes it easier for unsuspecting victims to be fooled into clicking the links, since they don’t see the entire URL.

Which Shortener Services Are Most Abused in Phishing Attacks?

We examined a year’s worth of phishing attack URLs in our database. The most commonly used link shortening service is and, accounting for two of every five phishing attacks that we saw using a shortened link. (We combined and because they are offered by the same parent company; the ranking of link shorteners does not change when their results are not combined.)


GoDaddy’s link shortener was used in almost 15% of such attacks, and Google’s service was used by a little under 10%.

If this breakdown is the same across all phishing attacks, security professionals might tune their inbound email filters to take a closer look at such links entering their organization.

Deep Dive into Shortened URLs in Phishing Attacks

As shown above, we noticed that a fair volume of phishing attacks were abusing Google’s link shortening service, Google offers a URL Shortener API for those wishing to understand more about who clicks shortened links. This offers an unprecedented look into who clicks, what browsers they use, how many clicks URLs received, and more.

In the meantime, we wanted to understand if the brands under attack in such phishing attacks differ when link shorteners are used.

Brands in One Year of Phishing Attacks


Brands in One Year of Attacks


There are interesting differences in the companies targeted by phishing attacks using link shorteners. The ratio of attacks against PayPal, Apple, and Yahoo all essentially stayed the same, while Google dropped almost in half from 9.8 percent to 5.5 percent and Amazon almost quadrupled and AOL doubled.

It’s tempting to speculate that the reason for the decline in phishing attacks against Google accounts is because phishers feared better phishing attack detection and takedown when the link they created using lead to a fake Google login page.

In the next post in this series, we will share further results from our research into phishing attacks, including how many clicks each phishing attack link received, and how often criminals use more than one link for the same phishing attack. Both details have implications for the fight against online fraud.

Our Anti-Phishing solution protects businesses from the earliest stages of a phishing attack, including pharming and malware, to the takedown and removal of phishing websites. Contact us for more information.

Additional Posts

Link Shorteners in Phishing Attacks, Part II: How Many People Click on Phishing Attack Links?

In this three-part blog series, we'll discuss original research presented by Cyveillance phishing ...

LookingGlass Phishing Report: Top 20 Targets – May 25, 2015

  Phishing Report: Top 20 Targets Week of May 17-23, 2015   This week saw more than a ...