Helping people with computers... one answer at a time.

Link encoding can take on many forms, some of which are normal while others can be manipulated to deceive. I'll look at what you need to watch out for.

Why do so many companies use hidden URLs? The ones that are hidden under some phrase, typically "Click here for more Information!" They are training people to trust what they can't see, which could lead them to a spam/malware site!

It kinda depends on what you mean by "hidden URL".

I say that because I can think of several different kinds and most of them aren't intended to be misleading at all.

In fact, the one that most closely matches your description is the very definition of how HTML and web pages were designed to work.

URLs

A URL, or Uniform Resource Locator, is simply a way to specify a specific something on a network. The most common one that you'll see might be of the form:

http://ask-leo.com/internet_safety_how_do_i_keep_my_computer_safe_on_the_internet.html

A URL is comprised of three parts:

  • http: indicates the protocol or communications language to use when accessing the item: in this case, HyperText Transfer Protocol.

  • ask-leo.com indicates where to find the item: in this case, the server to contact.

  • internet_safety_how_do_i_keep_my_computer_safe_on_the_internet.html indicates what to get: in this case, a single text file that happens to contain HTML.

Links

We could, and often do, pass around URLs as references to information on the internet. However, those are kinda ugly, and when specified on a web page or in HTML formatted email, we can do better. In fact, HTML is specifically designed to allow this:

Internet Safety: How do I keep my computer safe on the internet?

That's a link. It has two parts: the displays text that you see - "Internet Safety: How do I keep my computer safe on the internet?" - and the target URL that it goes to:

http://ask-leo.com/internet_safety_how_do_i_keep_my_computer_safe_on_the_internet.html

That makes for significantly more readable text, and a clearer, conceptual association between what you're clicking on and what you'd expect to find at its destination.

"Perhaps the most important thing is to consider the source."

Normal Links

As you can see from the example above, links have two parts: the part that you see and the URL that you don't immediately see that is the destination should you click it.

Normal usage doesn't require that they be the same. Internet Safety is a very valid and common link. The idea is that if you click on the link that shows "Internet Safety", you'll be taken to something about internet safety.

That's the closest example to exactly what you've described and all I can say is that it's exactly how links were intended to be used.

Particularly when URLs themselves can be significantly more obscure than those on Ask Leo!, it's intended to give you a clue as to where you're going. For example, given a URL like:

http://www.amazon.com/dp/1937018008/ref=sr_1_1?ie=UTF8&qid=1301333779&sr=8-1

Other than it going to Amazon.com, you have no idea what you'll find when you get there. On the other hand, if I instead give you Maintaining Windows XP on Amazon, you know exactly what you're getting.

Automatic Links

One thing that may confuse you is that many programs, particularly email programs, will make anything that looks like a URL into a clickable link. For example, you may see:

http://ask-leo.com/internet_safety_how_do_i_keep_my_computer_safe_on_the_internet.html

in an email, but the email program may turn that into a link:

That's exactly like a normal link except that the part that you see is the same as the URL that you'll go to if clicked.

Redirects

A technique used by URL-shorteners, like bit.ly, tinyurl, snipurl, goo.gl and many others, is what's called a redirect. A short URL is created that, when accessed, immediately redirects you to a different, usually longer URL.

I have my own: go.ask-leo.com (aka ps0.us) is a redirector/URL-shortener. So I might provide a link like:

That's a much shorter link, which is less likely to be broken by email text-wrapping, and is easier to use in length-limited environments like Twitter.

Password Thief!

Malicious Technique #1: Redirects

Where does this link go?

Answer: You don't know. You won't know until you click on it and land wherever it takes you.

The same is true for any of the URL shortening services. If you see a "bit.ly" link, for example, you have no idea where it's about to take you. Whether you should or shouldn't click on that link is all about how much you trust the place where you found it.

Needless to say, hackers and others with bad intent are saying things like "Win a free iPad: http://some-url-shortener-link", which takes you to a malicious web site when clicked.

Malicious Technique #2: URL hiding

Fortunately, this is a little more obvious, but it's also a very common legitimate technique as well.

Hover your mouse over that link and you'll see that, even though it displays one URL, it actually goes to a completely separate URL.

Many browsers and email programs will warn you in situations like this. But there's a problem: this technique could be used for good or evil:

  • Good: The example above is a common technique to count how many people click that link. The link actually goes through a URL shortener, but actually does land on the intended page. This is very commonplace in email newsletters, such as my own where all the links actually route through "clicks.aweber.com".

  • Evil: Those with malicious intent display one URL to get you to click, but instead, take you to a malicious site.

In both cases, hovering your mouse over the link should show you the actual destination of the link in the browser status line if you click it.

What To Do?

To begin with, don't panic if the display text for a link is different than the URL. That's normal HTML.

Pay attention to links that display as one URL but take you to another. Those may, or may not, be malicious.

Perhaps the most important thing is to consider the source. If it's a link in a random tweet, email or other posting where you're not at all certain where it came from - don't click. Simple as that. If it's from someone you trust, like perhaps your favorite technical Q&A site or its newsletter, then you're probably safe.

Article - March 31, 2011 « »

Share this article with your friends:

Share this article on Facebook Tweet this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

6 Comments
Ken B
March 31, 2011 12:15 PM

Good article. However, I feel I need to point out something. Where you say:

In both cases hovering your mouse over the link should show you in the browser status line the actual destination of the link should you click it.
Note the "should" in your statement. If Javascript is enabled, it is possible to override what the browser shows on the status line.

If you're really unsure about the link, it's probably safest to just not use it. However, you can right-click the link and select "copy link" or "copy link location" (the wording varies by browser) and then paste it into the address bar.

Also, I find a program called "Sam Spade" to be quite useful in dealing with URL shorteners. It hasn't been updated in years, but you can get it from MajorGeeks.com, and it can show the raw HTML from a web page, including the redirection info. For example, the URL under "malicious technique #2" clearly shows the redirection:

Location: http://go.ask-leo.com/cgi-bin/redirdb.pl?isafety
which, in turn, will show:
Location: http://ask-leo.com/internet_safety_how_do_i_keep_my_computer_safe_on_the_internet.html

Bob
April 1, 2011 2:17 AM

The malicious minority have been getting very very sneaky in recent years. Even hovering over their links sometimes produces 'almost' the same link - a minor spelling mistake or an extra dot - that in fact would take you to a completely different site. And if the whole link is underlined, some differences get lost completely (such as the difference between a space and an underscore, or a dot and a comma).
I'm ALWAYS wary. Even if the link looks right, I consider the source. I have to trust BOTH.

Ken in San Jose
April 9, 2011 10:28 PM

"If it's from someone you trust, like perhaps your favorite technical Q&A site or its newsletter, then you're probably safe."

Leo, if it is on a known good newsletter and the most you can say is "probably safe", then that is a little scary.

Who can you trust?

Mark J
April 10, 2011 12:13 AM

@Ken: Nothing is sure in this world except for death and taxes. Here's one example: Most websites use context sensitive ads. The owner of the site has no control over these. This ad my contain a hidden url to a malicious site.

Steve
April 20, 2011 7:25 AM

with the recent electronic theft from Epsilon, knowing who can be trusted is even more complicated.

I can no longer trust that the emails I get from my bank, my pharmacy, my on-line retailer, etc are actually from them.

Louis
October 8, 2011 1:12 PM

Great article. I agree with several of the postings such as what to trust. In my case i find www.findhiddenurl.com useful. It finds the redirected URL and gives you a rating from WOT.

Other websites may find the redirected URL but doesn't rate the original website. You may want to give it a shot.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.