Fight the Urge to ‘Click Here to Get Infected’

Sometimes you can’t trust every link on your Twitter timeline. Yesterday, security researcher Stefan Esser tweeted the following:

Esser is the researcher who developed the Antid0te ASLR utility for jailbroken iPhones. If he helps to protect jailbroken iPhones, why would he want to infect me?

If I didn’t deal with malware on a regular basis, I might not be paranoid about URL shorteners. I know that adding a “+” to the end of these types of shortened URLs will take me to the stats page where I can see the total number of clicks (in this case, just over 150, 15 minutes after the tweet) and the original URL. The page appears to be hosted on his Antid0te site, so it must not be all bad. Time to grab the page source with wget to see what we can find:

If he’s hiding some nasty JavaScript at 157 bytes, it must be pretty compact. Looking at the HTML source file it appears there’s no scripting at all, just a bunch of text within standard heading tags. In fact it contains only the following:

Shortly after the first tweet, he followed up with:

Taking another look at the stats page nearly 24 hours later, the total click count has exceeded 2,700. And more than 100 retweets. That’s a lot of people who got sucked into this prank.

In this case it turns out Stefan is just trying to warn us, if a bit harshly, about carelessly clicking on links. Keep in mind that occasionally our friends’ accounts get hacked–it benefits all of us to be a bit paranoid of shortened URLs.

Leave a Comment

5 × 2 =