Short, evil URLs

A business plan for black hats with a modicum of patience

1. Wait for one of the URL-shortening services that has no revenue model to go under.
2. Buy it for $1
3. Buy an exploit for which there’s no patch yet (or wait for a patch release, hire someone to compile it)
4. Insert a new advertising interstitial page with the malware payload, so everyone who hits http:/evilu.rl/as29_1 gets pushed to the malware page and then on to their destination
5. Ta-da! The internet’s deep reservoir of existing unverifiable links now feeds directly into your malware factory and only the most paranoid users (who are likely not clicking on blind links anyway) will stay away.

For added evilness, load the malware only on the redirect to certain sites, which will then be blamed.

The great thing about this is that it’s hard to buy up an existing domain with as wide of an existing link exposure, and really hard to build that kind of link network naturally. It’s almost worth building something like and shaving one or two characters, launching it, and then waiting.

Until someone implements the short URL RFC or otherwise standardizes trustworthy short URLs, this is going to be tempting bad people.