Helping people with computers... one answer at a time.

Anti-malware software examines links to see if they go where they claim to go. The problem is that valid links can be mislabeled as phishing attempts.

My AT&T web mail says this is a suspected phishing site in regards to your newsletter. I still open and read it. Why would they suspect a forged address?

Unfortunately, there's a very legitimate way to craft links that also happens to be easily confused with a technique used by phishing attempts.

It's a difficult position for both the publisher, such as myself, who wants to gather information, and the anti-malware software that doesn't want to inadvertently miss an actual phishing attempt. By erring on the side of paranoia, the anti-malware software often reports "false positives" - links that are "suspected" of being phishing attempts, but really aren't.

Let's look at this in more detail, and how you can tell the difference.

First, we need to understand just what a phishing attempt really is: it's an attempt to make you think you're about to visit legitimate site "A", when in fact you're about to be tricked into visiting some questionable site "B".

Here's an example I've used before:

http://www.ebay.com

It looks like that'll take you eBay, doesn't it? But by now, you can guess that it won't. It'll take you someplace else entirely. In most browsers, if you hover the mouse pointer over that link, you'll see in the browser's status line exactly where it will take you.

"You should always check the status line before taking links you're not 100% sure of."

You should always check the status line before taking links you're not 100% sure of. Phishing? What's Phishing? has more guidelines to stay safe.

This leads us to the first technique used to possibly identify phishing attempts: if the link looks like one URL, but in fact would take you to another URL, that's suspect.

But not perfect.

The problem is that there are very legitimate reasons that this might be the case.

Let's look at this example:

http://www.microsoft.com

That link looks like it will take you to microsoft.com, and in fact it will. But if you hover over the link, it won't show microsoft.com at all ... it shows http://go.ask-leo.com/ms. Since they don't match, anti-phishing tests might label this as a suspected phishing attempt, even though it's not.

Now the question you should be asking yourself is why would I send you to microsoft.com via a link that is off of my own ask-leo.com domain? The answer is: so that I can tell that you went there.

"Click Tracking" allows publishers such as myself to gauge what's popular and useful, and allows us to get a better feel for just how well we're doing. It's not used to track you specifically, but rather to see how many people are clicking on any given link. Without that "redirection" through http://ask-leo.com/d-ms I wouldn't be able to tell how many people were finding that link to http://www.microsoft.com of interest.

For example, I can tell you that as I write this, 30 people clicked on a link to microsoft.com from my site in the last week. I have no idea who they are, but I don't care - it's the aggregate information that's most useful. I can also tell you that it pales in comparison to the 1,735 people that clicked on the link to TweakUI, or the 996 people that clicked on a link to the PowerPoint Viewer in that same timeframe.

That's additional data to help tell me what my visitors think is important.

But collecting it can confuse anti-phishing tools.

Which brings me to the newsletter and email in general.

Using click tracking on a website isn't all that common; although it is certainly possible, legitimate and ultimately benign. Using click tracking in email is extremely common.

Once again, using click tracking legitimately allows publishers to understand whether they're giving their recipients what they want. For example, if I send out a newsletter and no one clicks on any of the links - well, that must've been an pretty poor newsletter, and that's something I need to know. On the other hand, if a specific bit of information is extremely popular, that's good for me to know as well, as I can then tailor more or include additional content to meet that apparent interest.

But, as you've seen, that data collection effort can result in false-positive phishing warnings, as the links you see might not exactly match the links you'll be routed through.

(As an aside specifically for Ask Leo! newsletter subscribers, links will typically route through ask-leo.com, aweber.com or a subdomain off of aweber.com. Ads may route through other domains that I will have vetted prior to publication.)

Lastly, this technique can be used several legitimate purposes:

  • Click tracking: as discussed above.

  • URL Shortening: services like tinyurl.com and snurl.com work in exactly this same fashion.

  • Change Protection: sometimes URLs change and pages move. Using a redirection as we've discussed here allows the target of the redirection to be changed in exactly one place.

So definitely pay attention to the warnings your anti-malware software is throwing at you, but don't assume that it's always correct. Use some common sense, and some knowledge, to gauge yourself if what you're about to click on is legitimate or not.

Article C3607 - January 1, 2009 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.