|
Home »
EMail
» Using Email
Summary: When it comes to links on web pages and HTML mail, what you see is not always where you go. Hovering over a link is one way to look before you leap.
There are several ways to look at a link, both in email and on web pages, before you click on it to make sure it is what it claims to be. There are several ways to hide where links go as well. But the good news is that the most common approaches are the simplest to detect. So let's go about disrobing those cloaked links. • First a little refresher on what a link really is. There are two parts: the part you see, and the part you don't. For example, if I give you this link: Ask Leo! The part you see is "Ask Leo!". The part you don't see is the URL that link takes you to: "http://ask-leo.com". To get just a little geeky for a moment, that link is actually encoded in HTML like so: <a href="http://ask-leo.com">Ask Leo!</a> There you can see exactly how both parts, seen and unseen, are encoded. Now take a look at this example: www.ebay.com That looks like a link to eBay, doesn't it? Here's how it's really encoded: <a href="http://buyleoalatte.com">www.ebay.com</a> The part you see is "www.ebay.com", but the part you don't see is something else entirely ... it's "http://buyleoalatte.com". So when you click on that example link that looks like it'll take you to eBay, it will instead take you to buyleoalatte.com. "The part you see is [one thing], but the part you don't
see is something else entirely ..."
It's a fundamental component of phishing: making it look like you're going one place when instead you're taken somewhere else entirely. Hovering Hovering your mouse pointer over a questionable link is one way to determine its validity. Move the mouse pointer over the link, but don't click. In Internet Explorer you should see something like this:
Internet Explorer, and Firefox for that matter, will show you the target of the link in the status bar at the bottom of its window. In this case you can see that my mouse pointer is hovering over the link that says "www.ebay.com", but IE is showing you the URL that you'll really be taken to: http://buyleoalatte.com. This isn't just about web pages and web browsers either. Email can of course be formatted using HTML, and that's where a lot of these scams happen. Fortunately most email programs behave exactly like the web browsers do: if you hove the mouse over a suspect link somewhere it'll display the true destination of the link, most likely in the status line at the bottom of the email program's window. Copy/Paste Another excellent approach to validating a suspicious link is to use copy/paste. Here's that same fragment which I forwarded to myself as an HTML email, viewed in Outlook Express:
Here I've right-clicked on the link. One of the options is Copy Shortcut. In other programs, including browsers, that might instead be Copy Link Location or something similar. The important point is that this copies the destination - the part you don't see - to the clipboard. Then you can right click on the address bar in your browser:
And then click on Paste to paste in whatever was copied:
Here you can see what was pasted was the true destination, the part you normally don't see. At this point it's fairly obvious that this link wasn't going to take you to eBay at all, but some other site. After pasting, if it's a link you want to go to, just press Enter. If not, press ESC and it'll be erased from the address bar. You can paste that URL wherever you like, by the way. Pasting it into notepad is one common option so that you can see exactly what the destination truly is without risking accidentally going there in the browser. Are all mismatches bad? Most assuredly not. All this is to get you information from which you can make a decision, but it actually doesn't mean that every time things don't match it's a scam or something nefarious. Here's one example of my own: Amazon Kindle That looks like a link to the Amazon Kindle, and in fact if you click on it that's exactly where you'll land: the Kindle product page on Amazon.com. However if you hover over that link as we've discussed here, it actually goes to "http://ask-leo.com/d-kindle". So what's the deal? If you've ever used a service like tinyurl.com or snipurl.com to make an excessively long URL into something shorter than you can email, this is the same idea. I have my own private equivalent of a snipurl. In all these cases there's a database that maps a short URL or token to the original longer one. When you go to the shorter URL, the service automatically and transparently redirects you to the longer destination URL. So in my case, these two are identical: Amazon Kindle Hover over each and you'll see that they're quite different, but click through and you'll see you end up at the same place. I point all this out because it's extremely common to do this, particularly in newsletters and other legitimate marketing mails. Links are often routed through third party services, not just for shortening, but also for tracking. For example, I can tell you that as I'm writing this yesterday 6 people clicked on my Kindle link elsewhere on Ask Leo!. That tells me how popular the link is. Similarly I can tell you that over 1,000 people clicked on my links to TweakUI in the last week. So how can you tell what's legitimate? It's not always easy, but certainly the majority of the time it actually is. I'd be suspect of things like:
There are others, but those are by far the most common. And again, any one of those doesn't mean that the link is a scam, it just means that it fits the characteristics of links that are. It means that you should pay a little more attention before clicking through. Related:
• Recent Comments
Just remember, the information displayed in the status bar when hovering can be replaced with JavaScript. For example, it's possible to have "www.ebay.com" appear in the status bar while hovering, yet still go to the phisher's site. Using the right-click and "copy shortcut", "copy link location", or whatever your browser calls it, is more accurate. Posted by: Ken B at December 19, 2007 07:33 AM-----BEGIN PGP SIGNED MESSAGE----- Absolutely. The good news is that it's rarely used, and if in email many email clients don't But you're quite right, it can be done. Leo
iD8DBQFHarjDCMEe9B/8oqERAkOhAJ9dFhCcMLovKtX8reDplHxcU7FQ8gCdGSwu Well I get nothing when I hover over the 'disguised' links! Posted by: Ron Barker at December 22, 2007 12:52 AMhttp://www.geocities.com/terryhollett2003/Phishing.htm Posted by: Terry Hollett at December 22, 2007 05:58 AMAnother red flag is when the "part you don't see" ends with an executable file such as "card.exe". This is the case with a Hallmark e-card phishing email that's been appearing in my inbox for several months. Basically, never click on a URL that ends in ".exe". Posted by: Geoff Walker at December 24, 2007 10:57 AMJust to say thank you for the explanation Posted by: Robert George at December 29, 2007 02:09 AMPost a comment on "What does it mean to "hover over" a link to check it's validity?":
|
Archives Advertisers |
|
