Understanding Security Risks of Ad-based URL Shortening Services Caused by Users' Behaviors

URL shortening services enable us to shorten or simplify URLs. Ad-based URL shortening services display advertisements to users who access short URLs and reward short URL creators. However, ad-based URL shortening services have specific security risks that URL shortening services without ads do not, such as displaying malicious advertisements to users. In this study, we reveal previously unknown security risks of these services caused by users' behaviors. We conducted a comprehensive measurement of ad-based URL shortening services. First, we accessed short URLs of these services, clicked buttons on the web pages, and reached the final destinations of the short URLs. Then, we reveal the security risks posed to users by monitoring and analyzing traffic logs when such short URLs are accessed. We found that all services generated an average of 86.5 web requests to malicious domain names per short URL. We then showed the security risk of unintentionally communicating malicious domain names even when users click only on buttons that correctly move users to their desired destinations. Finally, we discuss countermeasures to mitigate these risks from the perspective of each stakeholder in ad-based URL shortening services.------------------------------This is a preprint of an article intended for publication Journal ofInformation Processing(JIP). This preprint should not be cited. Thisarticle should be cited as: Journal of Information Processing Vol.30(2022) (online)DOI　http://dx.doi.org/10.2197/ipsjjip.30.865------------------------------

URL shortening services enable us to shorten or simplify URLs. Ad-based URL shortening services display advertisements to users who access short URLs and reward short URL creators. However, ad-based URL shortening services have specific security risks that URL shortening services without ads do not, such as displaying malicious advertisements to users. In this study, we reveal previously unknown security risks of these services caused by users' behaviors. We conducted a comprehensive measurement of ad-based URL shortening services. First, we accessed short URLs of these services, clicked buttons on the web pages, and reached the final destinations of the short URLs. Then, we reveal the security risks posed to users by monitoring and analyzing traffic logs when such short URLs are accessed. We found that all services generated an average of 86.5 web requests to malicious domain names per short URL. We then showed the security risk of unintentionally communicating malicious domain names even when users click only on buttons that correctly move users to their desired destinations. Finally, we discuss countermeasures to mitigate these risks from the perspective of each stakeholder in ad-based URL shortening services.------------------------------This is a preprint of an article intended for publication Journal ofInformation Processing(JIP). This preprint should not be cited. Thisarticle should be cited as: Journal of Information Processing Vol.30(2022) (online)DOI　http://dx.doi.org/10.2197/ipsjjip.30.865------------------------------