McAfee's URL Shortener Can Be Used to Help Attacks

In an example of how a PR idea can turn against the company it was meant to promote, McAfee’s allegedly secure URL shortening service can be used by phishers to bypass URL filters and enhance attacks.

The security giant launched its own URL shortener, called mcaf.ee, back in September, based on an idea from its French PR team, who figured the company has an advantage over the many similar services already out there, namely security.

It’s well known that URL shorteners are commonly abused to spread malicious URLs on social networks, instant messengers, or email, and McAfee does indeed have a good insight into such attacks.

It has the means and technology to scan websites for malicious behavior, so in theory it should be able to offer a pretty secure URL shortening service.

But nothing is perfect and McAfee's PR team failed consider what happens when the company's scanners get it wrong. However, some researchers from M86 Security did and made their findings public.

To exemplify, they used a phishing URL that was being blocked by Facebook for abuse. When users click on links to external sites on Facebook, they are taken to them through a redirect script.

This allows the social networking site to block access to bad URLs and post warnings like: “The link you are trying to visit has been reported as abusive by Facebook users.”

So what happens when the same phishing URL, shortened with mcaf.ee, gets clicked on Facebook? The site's URL filtering is bypassed and users are allowed to visit the destination.

And that’s not all. Unlike other URL shortners, McAf.ee opens the destination page inside a frame in a StumbleUpon-like style. The implication of this is that users don’t see the site's URL where they expect it to be, in the browser’s address bar.

The destination URL is mentioned on the McAfee-themed header applied over the page, but it is eclipsed by a big green checkmark button and its associated message reading “This Site is Safe.”

McAf.ee is still a beta product, so hopefully until it goes final, if it ever does, the company can rethink parts of this implementation which can give users a false sense of security.