From my previous post – Is your computer secure – I indicated that novice users should never click on links. In this post, I will help you identify bad links and give you tips on when to click on a link.

When receiving a curious link, most users enter a split personality mode like Smeagol in Lord of the Rings. Your alter-ego says click on it, while your heart says don’t. Unfortunately, sometimes the alter ego prevails, we click and we get infected or Phished. Let’s decompose a link so that you can make educated decisions on whether to click or not.

Firstly, the link displayed does not always show the truth. Click on this non-malicious link to get the latest sports news:

www.espn.com

Experienced users would have hovered over the link and noticed in the bottom status bar of their browser that this was in fact linked to CNN and not ESPN. The creator of the link can make the text displayed for a link anything and in this case, I can make people believe that it is the actual link to the site. The link behind the text is the real website that a user will visit when clicked. Imagine if this link was downloadmalware.com … your PC would be infected.

Ok, I hover over the link to see the real site, so what!! How do I know whether I should click or not? To answer this, we need to break down the link. You need to locate the short letters before the first forward / – ignore the http:// – as this tells a lot. This is called the top-level domain (TLD) which sometimes represent countries. Since Russia and China generate over 50% of all malware, users should avoid any site hosted in these countries. The TLDs for these countries are respectively .ru and .cn . It does not suffice to only filter out links containing these TLDs as sites in Russia or China can use other generic top-level domains such as .com, .net, info, .org.

Here are some fake examples to illustrate the domains:

http://www.hacked.cn/hackme – China
http://www.omg.iamevil.ru/infected – Russia
htpp://secure.iamhacked.com/index.html – China

After checking the TLD, we verify the second-level domain which is located to the left of the TLD. If this domain has random characters or seems meaningless, stay away. For those domains that seem legitimate, you can use a reputation based lookup service such as TrustedSource. Now even if the latter site does not report the site as a high risk, it may still contain malicious code waiting for unsuspected users. In the above examples, hacked, iamevil, and ilookgood are the second-level domains. When in doubt, do not listen to your alter-ego and follow your heart which says DO NOT CLICK!!

The safest way to browse is to type in the website URL yourself or google it. Use links with a lot of caution.

In my next blog, I will discuss trusting links or e-mails from friends and then Spoofing.