security
defanging
Defanging Links: The Art of Anti-Spam and Anti-Scam
You know how there are things that exist and you know that they do, but you never really searched for them so you also don’t know what they’re called and you can’t really gather up the right vocabulary to explain why they’re used even when your subconscious brain has a good idea on it?
That was ‘defanging’ for me. So in this byte-sized, lightning-fast piece, I bring you what they are, why they are, how they are.
Links are pretty useful. There’s a high chance you got to this page by clicking on a link. Maybe mindlessly, maybe not. They’re not only useful, they’re also pretty interesting, wouldn’t you agree? Mouse click and bam! You’re at a different address!
But imagine if this happened in real life too. Imagine a sci-fi self-insert where lamp-posts are link-like portals. They wear a poster that tells the traveler where it opens up; you touch it and you’re transported to the place it says it has a wormhole-road to. This can easily be misused. It can say ‘Hi, I can trasnport you to your friend’s house across the city’, but it could actually be a fraud and transport you to a super-villain’s den. We don’t want that. Not in real life, not in the virtual life.
Links can go: https://instagram.com/puppiesjumpingoverfence/ and before you know it, you are at a place you never intended to go to!
_“But it said that it will take me to pictures of puppies jumping over fence!” _Well, people lie.
To not be vulnerable to links like these (+ for other reasons that I will list out below), something called defanging is used. You might have already come across them before.
Defanging is a technique that prevents URLS/links/addresses from being clickable. URLs are modified so that softwares (eg, email clients, twitter etc) don’t automatically recognise and treat them as links while still remaining human-readable.
Let us take the example: https://malicious-website.com
I don’t think there is one specific hard-and-fast rule to defang addresses. Any change that can make the URL unclickable in the target software while still maintaining the human-readability of it is a valid defanging method. However, using the most common methods, this is how it would look like:
- Replace http / https with hxxp / hxxps (https://malicious-website.com –> hxxps://malicious-website.com)
- Add brackets around the dot (hxxps://malicious-website.com –> hxxps://malicious-website[.]com)
Thus, the final URL will be hxxps://malicious-website[.]com. It is still readable, and it is a text that most (legit?) softwares or apps will not automatically turn into something clickable. A similar modification can be done to IP addresses as well.
It is very easy to make people click on a link, which isn’t really a good thing to to be honest. Especially when it comes to sensitive information being at stake; think: corporate environments? A company can use defanged urls internally in their communications. It will help the users be cautious of mindlessly clicking links from messages and documents, and discourage them from instinctively clicking on links that they receive. This way, users can see the complete URL and will have to deliberately and consciously decide to visit the address which can eliminate a lot of accidental clicks.
Many times, softwares shorten the URL for you before it gets shared, example, twitter. It converts a readable url to an obscure and abstract link. You might just accidentally click on them when scrolling, or even click intentionally without knwoing what the actual, complete URL looks like. Since twitter will not treat defanged links as links, we get to see the complete text, thus reducing threats.
The above examples mostly deal with frauds and scams, which can be an avenue to huge issues. Defanged links can also help with spams in addition to scams.
Bots and scripts are like two-year olds. They will lace up their shoes and run wherever space allows them to. Websites, documents, everything accessible to them. Now, links are deliberate and incredibly useful for SEO purposes - these are cases where you want the links to be traceable and have the ability to be followed through. However, it might happen, you want to to add links and emails to your documents without a bot picking it up and adding it to a potential spam list. In that case, defanging them could be helpful. Granted, identifying defanged strings will not be a heavy task, but it is still a task that goes beyond the usual scraping and just might save you from some unwanted attention.