Spammers have achieved these shortened URLs through a loophole in the URL shortening service provided by and have collaborated thus enabling anyone to shorten a .gov or .mil URL into a trustworthy URL. Further, according to an explanation provided by, short URLs do not require any log in.

As pointed out by Symantec, beyond the legitimate users, cyber scammers and spammers have found this method of shortening URLs very lucrative. Symantec notes, “By using an open-redirect vulnerability, spammers were able to set up a URL that leads to a spam website.”

Giving an example of how this works, a shortened URL:


would actually redirect to

which in turn would lead to “[http://][REMOVED]/?wwvxo
that is actually a scam website with a news website like front end.

Symantec’s analysis reveals that in the last week alone there were well over 43,000 clicks that were made through shortened URLs that redirected users to 10 spam domains, most of where were from the US.