Phishing: the Click of Death

Recently we realized that from time to time when people find a live link in one of our blogs, they click on it to see where it goes, even though the context might suggest that the link could be malicious. So we thought it might be a good idea to set up a link so that people who clicked incautiously would see a harmless site that would, hopefully, educate them into being more careful in future. In fact, I first tried this out with the ‘simulated phishing site’ here, but we wanted to provide a more comprehensive resource, and that’s what this article is for.

Many years ago in the UK, the Royal Society for Prevention of Accidents ran some campaigns to persuade people to make more use of their car seat belts, using a series of public information films with the slogan Clunk Click Every Trip. The slogan represented the sound of someone getting into a car and fastening their seatbelt as soon as they close the door.

While that seatbelt click makes you safer on the road, the wrong mouse click can make you very unsafe on the Internet.

How You Got Here

If you've just found yourself here unexpectedly, the chances are that you got here by clicking on a link used to make a point about how misplaced trust can get you into trouble. I sometimes use this technique in a blog or article:

As a replacement for a malicious link when we reproduce a malicious email or web page
To demonstrate how what looks like a straightforward link to something quite benign can turn out to be something quite different.

However, I certainly wouldn't object to other people using it for similar (legitimate) purposes. It might, for instance, be useful for IT units wanting to test their customers' susceptibility to phishing by sending crafted emails with a deceptive but harmless link. (Though a company that wanted to set up such a fake phishing site might prefer to use this page as a template for setting up an internal page, so that it can monitor the responses of its users.)

If you got here by way of a link that has no direct connection with ESET, let me reassure you that this is not a malicious site. We're in the business of publishing security software, detecting malware and teaching people about malicious attacks: we're not here to engage in criminal behaviour ourselves!

Why you arrived here

When I set this page up, there were some points I wanted to make about clicking indiscriminately on links.

1. Think before you click.

Just because you're running anti-virus and other security software, that doesn't mean you can click indiscriminately on the assumption that your software will detect all malicious code and websites: no self-respecting security researcher or developer will claim that his or her software will detect all malicious code, known and unknown.

2. Trust people, not addresses.

Don’t trust unsolicited files or embedded links, even from friends. (Reputable security bloggers are usually ok, but even we could make a mistake and leave an undesirable link in a post.) It’s easy to spoof e-mail addresses, for instance, so that an e-mail appears to come from someone other than the real sender (who/which may in any case be a spam tool rather than a human being). Not all messaging protocols validate the sender’s address in the “From” field, though well-secured mail services do often include such functionality. But basic SMTP, for example, doesn't. The nature of the 21st-century Internet means that there are many ways of concealing such information if the sender really wants to conceal or disguise his identity. It’s also possible for mail to be sent from your account – without your knowledge – by malware, though malware that spreads itself in this way is far rarer than it used to be.

3. Not everything in disguise is a blessing.

There are many ways to disguise a harmful link so that it looks like something quite different, whether it’s in e-mail, chat or whatever. The sophisticated ways in which malicious links are sometimes disguised in phishing e-mailsso that they appear to go to a legitimate site has forced developers to re-engineer web browsers to make it easier to spot such spoofing. (Early phishing e-mails tended to rely on exploiting bugs in popular browsers to hide the real target link.)

However, too many people forget to make use of elementary precautions such as passing the mouse cursor over the link so that the real link shows up, and in some cases, the link that shows up that way is just the first in a series of redirected links, making it impossible to validate the 'final destination' without traversing the entire chain. In any case, it’s not always easy to distinguish a genuine site from a fake site just from the URL, even if the URL is rendered correctly. DNS cache poisoning, for instance, allows an attacker to redirect a web query to an IP address under the attacker’s control.

4. Don't sweat the short stuff.

One common technique for hiding the URL to which the link will eventually take you is to use a URL-shortening service, including legitimate URL shorteners like TinyURL, bit.ly, t.co and so on. URL shortening is great for micro-blogging services like Twitter; however, because you typically cannot see the destination URL beforehand, there is a certain amount of risk. You cannot take it for granted that URL shortening services like bit.ly and TinyURL are redirecting you to trustworthy web sites. Indeed, spam tweets containing a short link to a spammy or unequivocally malicious site are all too common.

5. Convenient isn't always safe.

There’s even more risk when you find a shortened link in a message you receive by email, instant messaging, and so on. It’s worth remembering that when a message that isn’t restricted to the 160 character maximum of an SMS text message – Twitter reserves 20 characters for the user address, so the effective maximum for a tweet is 140 characters – there’s rarely a real need for obsessive trimming of message length, so you might well wonder whether a shortened URL in such a message (or a blog article, or a Facebook message) might be hiding something unpleasant. However, it’s not always the case. For example, it’s not unusual for services like Tweetdeck to post a single message not only to several Twitter accounts, but to Facebook. In such a case, a link automatically shortened for Twitter will also appear shortened on Facebook.

LongURL [http://longurl.org/] lets you see the expanded version of a shortened URL before you go there. TinyURL will let you do this for tinyURLs. However longurl.org can expand URLs from a long list of other URL shorteners – see http://longurl.org/services. Recently, we’ve seen QR codes like the one below used to disguise malicious links, too.