It seems it's been shut down already [1] --apparently after threats of legal action. I can see though how such a site would easily become a major liability honeypot for anyone.
I think a lot of us have come up with variations on this idea over the years. (I know I have. The holy grail is surreptitiously installing a Greasemonkey script on a co-worker's computer, so that the URL is the real URL.)
But what's changed in the last year or two is that people are now much more familiar with URL shortener links. Every major media site is using them, and just about everybody understands what their purpose is.
I can totally see how someone who would spot a phishing page from a mile away because of the strange URL might overlook the fact that a URL shortener doesn't actually redirect you to the legit page, but rather presents a spoofed version.
I tried it on a tech-savvy friend, taking a news story about GM firing engineers over the recall and changing the headline to say that they fired Bob Dole. His immediate reaction was to think that the WSJ got hacked, with the secondary possibility that Bob Dole really did work for GM somehow. He didn't realize what was going on until I posted a second version saying he had been fired by GM.
I see that SHRTURL deleted the page title, which users might also notice – but it’s better than keeping the original title, which would now be wrong. SHRTURL also can’t handle GitHub’s custom font with which they render their icons, so the site logo is missing. And you are logged out in the linked page, which is pretty visible, but there’s no way SHRTURL could get around that.
The OP's site is really clever. Your Github page shows that it significantly lowers the barrier to MTM attacks. I wonder what ways there are to protect users against this kind of spoofing.
Oh yeah. What amuses me even more is people finding a link to Onion-style blog post and not realising that it's parody/sarcasm/whatever (e.g. Swedish House Mafia is sued by Swedish Mafia for copyright infringement).
Sometimes I point that out, and usually get a response "how do you know it's not real? do you know all the news of the world?". People like that make me believe in the trolling power of this tool.
Well, and given recent UI changes to the address bar from both Apple [0] and Google [1] - I'd say that people will begin paying even less attention to URLs.
As I understand it, phishing is when you obtain sensitive information from a user while impersonating a site the user trusts. I don't suppose there's any exchange of sensitive information taking place here (nor is it possible if I am not mistaken, unless the website creator has any bad intent).
Removing http:// from the url was bad enough. Now they are going to only show the domain? I'm so glad I don't use chrome anymore. It's this kind of obnoxious "we know better than you and won't let you configure otherwise" bullshit that made me hate it.
Even if it was customizable, the defaults is something most people don't change.
Case and point: IE Toolbars. People hate them but never remove them. Ever. Even as those toolbars are making their browser take minutes to load any page.
That used to be true, but these days IE is pretty aggressive about disabling things, and telling you when they're slowing you down. Doesn't help everyone but seems to help some.
Using github.io? As the URL bar loses importance then people will just tend to ignore it, and on first glance (and probably for anyone who's not familiar with github pages) they will both look as valid.
You can't use github.io, only [project-name].github.io. Sure they could use a fake-but-similar project name, but then again, they already could with github.com/[project-name]. I don't see the big difference for the user.
If you're feeling particularly nefarious, run the URL that Shtrurl.co gives you through often used and more readily "trusted" shorteners like bit.ly or tinyurl.com.
Apologies for flagging it but it looked good enough that I thought some real damage might come of it. YC being implicated in a thing like that would have looked really bad.
You really shouldn't have used a real persons by-line there, that made it much more believable. Still, kudos for the prank, it was funny, especially the insane valuation.
One suggestion. Put an annoying top menu / banner up and pretend to load the target content in a frame. There are some url shorteners / sites that do that sort of thing. To a lot of people it will be annoying, but it will hide the fact that they're not actually being served from the target web site.
Fun FF29.0.1 (windows 7) doesn't apply I'm guessing link CSS so everything is bright blue links looks really fake. Refreshed the page a few times to check, it stayed.
Warning: file_get_contents() [function.file
get-contents]: php_network_getaddresses: getaddrinfo
failed: Name or service not known in /nfs/c04/h02/mn
/180736/domains/shrturl.co/html/create.php on line 18
Warning: file_get_contents(http://gnehmeh)
[function.file-get-contents]: failed to open stream:
php_network_getaddresses: getaddrinfo failed: Name or
service not known in /nfs/c04/h02/mnt/180736/domain
/shrturl.co/html/create.php on line 18
Their site allows for exactly this kind of modification but, being a commercial startup, is much more polished. They already solved problems 2 and 3 for you and you can use that tech through the API.
Bitdefender Free Edition blocks http://shrturl.co/ (says it's phishing) but doesn't block http://shrturl.co/AtYui or other short URLs generated with the site. Seems like pretty poor logic.
Well, every shortened URL I want to access goes through http://unshort.me/ . Not only I don't like surprises, but I also hate being tracked for no reason and I'm hoping unshort.me doesn't send everything their way anyway.
Warning: mysqli::mysqli() [mysqli.mysqli]: (42000/1203): User db180736 already has more than 'max_user_connections' active connections in /nfs/c04/h02/mnt/180736/domains/shrturl.co/html/inc/bootstrap.php on line 18
Warning: mysqli::mysqli() [mysqli.mysqli]: (42000/1203): User db180736 already has more than 'max_user_connections' active connections in /nfs/c04/h02/mnt/180736/domains/shrturl.co/html/inc/bootstrap.php on line 18
Warning: mysqli::real_escape_string() [mysqli.real-escape-string]: Couldn't fetch mysqli in /nfs/c04/h02/mnt/180736/domains/shrturl.co/html/view.php on line 6
Warning: mysqli::query() [mysqli.query]: Couldn't fetch mysqli in /nfs/c04/h02/mnt/180736/domains/shrturl.co/html/view.php on line 7
Fatal error: Call to a member function fetch_object() on a non-object in /nfs/c04/h02/mnt/180736/domains/shrturl.co/html/view.php on line 9
It could but should not. A better product for that might be Optimizely, where you can use your actual URL. However, I once worked with an extremely obsessive owner of a business and she sat by me each time I made any changes to the copy on the website to make sure it flowed correctly when in situ, I would have sent this to her to make my life a little easier had it existed back then.
Actually, surprisingly good for our our marketer/designer to quickly mock up small changes to our landing page. We wouldn't share it publicly, but for internal use kinda neat.
[1] http://t.co/ctKD8VcLpp