Helping people with computers... one answer at a time.

When it comes to links on web pages and HTML mail, what you see is not always where you go. Hovering over a link is one way to look before you leap.

Could you please describe, or rather, take us through the process of "hovering over" a URL or link in such a way that supposedly 'reveals' its true source or identity. I have tried it but nothing happens ... the URLs' clothing invariably remains implacably and firmly in place, covering the naked body lurking beneath.

There are several ways to look at a link, both in email and on web pages, before you click on it to make sure it is what it claims to be.

There are several ways to hide where links go as well. But the good news is that the most common approaches are the simplest to detect.

So let's go about disrobing those cloaked links.

First a little refresher on what a link really is. There are two parts: the part you see, and the part you don't. For example, if I give you this link:

Ask Leo!

The part you see is "Ask Leo!". The part you don't see is the URL that link takes you to: "http://ask-leo.com". To get just a little geeky for a moment, that link is actually encoded in HTML like so:

<a href="http://ask-leo.com">Ask Leo!</a>

There you can see exactly how both parts, seen and unseen, are encoded.

Now take a look at this example:

www.ebay.com

That looks like a link to eBay, doesn't it? Here's how it's really encoded:

<a href="http://buyleoalatte.com">www.ebay.com</a>

The part you see is "www.ebay.com", but the part you don't see is something else entirely ... it's "http://buyleoalatte.com". So when you click on that example link that looks like it'll take you to eBay, it will instead take you to buyleoalatte.com.

"The part you see is [one thing], but the part you don't see is something else entirely ..."

It's a fundamental component of phishing: making it look like you're going one place when instead you're taken somewhere else entirely.

Hovering

Hovering your mouse pointer over a questionable link is one way to determine its validity.

Move the mouse pointer over the link, but don't click. In Internet Explorer you should see something like this:

Mouse hovering over a link

Internet Explorer, and Firefox for that matter, will show you the target of the link in the status bar at the bottom of its window. In this case you can see that my mouse pointer is hovering over the link that says "www.ebay.com", but IE is showing you the URL that you'll really be taken to: http://buyleoalatte.com.

This isn't just about web pages and web browsers either. Email can of course be formatted using HTML, and that's where a lot of these scams happen. Fortunately most email programs behave exactly like the web browsers do: if you hove the mouse over a suspect link somewhere it'll display the true destination of the link, most likely in the status line at the bottom of the email program's window.

Copy/Paste

Another excellent approach to validating a suspicious link is to use copy/paste.

Here's that same fragment which I forwarded to myself as an HTML email, viewed in Outlook Express:

Right Clicking on a link in an HTML email

Here I've right-clicked on the link. One of the options is Copy Shortcut. In other programs, including browsers, that might instead be Copy Link Location or something similar. The important point is that this copies the destination - the part you don't see - to the clipboard.

Then you can right click on the address bar in your browser:

Right Clicking in the address bar

And then click on Paste to paste in whatever was copied:

URL pasted into the address bar

Here you can see what was pasted was the true destination, the part you normally don't see. At this point it's fairly obvious that this link wasn't going to take you to eBay at all, but some other site.

After pasting, if it's a link you want to go to, just press Enter. If not, press ESC and it'll be erased from the address bar.

You can paste that URL wherever you like, by the way. Pasting it into notepad is one common option so that you can see exactly what the destination truly is without risking accidentally going there in the browser.

Are all mismatches bad?

Most assuredly not.

All this is to get you information from which you can make a decision, but it actually doesn't mean that every time things don't match it's a scam or something nefarious.

Here's one example of my own:

Amazon Kindle

That looks like a link to the Amazon Kindle, and in fact if you click on it that's exactly where you'll land: the Kindle product page on Amazon.com. However if you hover over that link as we've discussed here, it actually goes to "http://ask-leo.com/d-kindle". So what's the deal?

If you've ever used a service like tinyurl.com or snipurl.com to make an excessively long URL into something shorter than you can email, this is the same idea. I have my own private equivalent of a snipurl. In all these cases there's a database that maps a short URL or token to the original longer one. When you go to the shorter URL, the service automatically and transparently redirects you to the longer destination URL.

So in my case, these two are identical:

Amazon Kindle
Amazon Kindle

Hover over each and you'll see that they're quite different, but click through and you'll see you end up at the same place.

I point all this out because it's extremely common to do this, particularly in newsletters and other legitimate marketing mails. Links are often routed through third party services, not just for shortening, but also for tracking. For example, I can tell you that as I'm writing this yesterday 6 people clicked on my Kindle link elsewhere on Ask Leo!. That tells me how popular the link is. Similarly I can tell you that over 1,000 people clicked on my links to TweakUI in the last week.

So how can you tell what's legitimate?

It's not always easy, but certainly the majority of the time it actually is. I'd be suspect of things like:

  • Obvious misdirection - if the "part you see" looks like a URL or domain name like "www.ebay.com", then the destination, the "part you don't see", should match.

  • Links to IP addresses - if the destination is an IP address, something that has only numbers like this: http://72.3.133.152, then don't trust it. Legitimate sites will always have actual textual domain names.

  • Links to foreign domains - with all due respect to the legitimate businesses in those countries, destination links to domains that end in ".ru", ".cn", (Russia and China, respectively) and so forth should be suspect. Certainly if you don't expect to be taken to a web site in a foreign country, then this should raise a red flag.

There are others, but those are by far the most common.

And again, any one of those doesn't mean that the link is a scam, it just means that it fits the characteristics of links that are. It means that you should pay a little more attention before clicking through.

Article C3241 - December 18, 2007 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

5 Comments
Ken B
December 19, 2007 7:33 AM

Just remember, the information displayed in the status bar when hovering can be replaced with JavaScript. For example, it's possible to have "www.ebay.com" appear in the status bar while hovering, yet still go to the phisher's site.

Using the right-click and "copy shortcut", "copy link location", or whatever your browser calls it, is more accurate.

Leo A. Notenboom
December 20, 2007 10:47 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Absolutely.

The good news is that it's rarely used, and if in email many email clients don't
run the javascript, rendering that technique useless.

But you're quite right, it can be done.

Leo


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)

iD8DBQFHarjDCMEe9B/8oqERAkOhAJ9dFhCcMLovKtX8reDplHxcU7FQ8gCdGSwu
fix60mVQbFKqwbNc0YklUj8=
=oHHX
-----END PGP SIGNATURE-----

Ron Barker
December 22, 2007 12:52 AM

Well I get nothing when I hover over the 'disguised' links!

Geoff Walker
December 24, 2007 10:57 AM

Another red flag is when the "part you don't see" ends with an executable file such as "card.exe". This is the case with a Hallmark e-card phishing email that's been appearing in my inbox for several months. Basically, never click on a URL that ends in ".exe".

Robert George
December 29, 2007 2:09 AM

Just to say thank you for the explanation

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.