URL & Link Analyzer

Understanding URL Anatomy

Every URL (Uniform Resource Locator) follows a structured format that tells your browser exactly where to go and what to fetch. Understanding this structure is the first line of defense against phishing attacks. A complete URL consists of several components: the protocol (scheme), authority (which includes optional credentials, hostname, and port), path, query string, and fragment. Each component serves a distinct purpose, and attackers exploit specific parts to deceive users into visiting malicious destinations while believing they are navigating to trusted websites.

The most critical component for security assessment is the hostname, which identifies the server that will receive your request. The hostname is read right-to-left for hierarchical significance: the top-level domain (TLD) comes last (.com, .org, .net), followed by the registered domain (the name actually purchased from a registrar), and then optional subdomains. For example, in login.secure.example.com, the registered domain is example.com, while login and secure are subdomains that can be set to any value by whoever controls example.com. This right-to-left hierarchy is precisely what phishing attackers exploit when they create domains like paypal.com.malicious-site.tk -- the actual destination is malicious-site.tk, not PayPal.

Common Phishing URL Techniques

Attackers have developed an extensive repertoire of URL manipulation techniques designed to bypass both human vigilance and automated detection systems. Understanding these methods is essential for identifying suspicious links before clicking them:

• Homograph attacks (IDN spoofing) - Internationalized Domain Names allow characters from non-Latin scripts that visually resemble ASCII letters. The Cyrillic letter "a" (U+0430) is visually identical to the Latin "a" (U+0061), enabling attackers to register domains like xn--pple-43d.com that display as apple.com in certain browsers. Modern browsers mitigate this by displaying punycode for mixed-script domains, but the attack remains effective in email links and messaging apps.
• Typosquatting - Registering domains that are slight misspellings of popular brands exploits typographical errors and inattentive reading. Common patterns include character transposition (gooogle.com), adjacent key substitution (goofle.com), character omission (gogle.com), character doubling (googgle.com), and wrong TLD (google.co instead of google.com). Attackers register thousands of typosquatting domains for major brands and either serve phishing pages or sell them back to the brand.
• Subdomain abuse - Since subdomain text appears before the registered domain, attackers register a malicious domain and prepend trusted brand names as subdomains: www.paypal.com.account-verify.tk. On mobile devices with narrow address bars, the actual domain may be truncated, showing only the trusted-looking subdomain prefix. Excessive subdomain depth (more than 3 levels) is a strong phishing indicator.
• URL shorteners - Services like bit.ly, t.co, and tinyurl.com mask the true destination entirely. While legitimate for social media character limits, shortened URLs eliminate the user's ability to inspect the destination domain before clicking. Many phishing campaigns use URL shorteners as a first redirect to hide the malicious final destination.
• Encoded characters - URL encoding (%XX hexadecimal format) is legitimate for special characters in paths and query strings, but percent-encoded characters in the domain portion are abnormal and often indicate obfuscation attempts. An attacker might encode portions of a malicious domain to bypass pattern-matching filters while the browser still resolves the domain correctly.
• Credential prefix abuse - The URL specification allows a username:password@hostname format for HTTP authentication. Attackers exploit this by crafting URLs like https://[email protected], where www.google.com is treated as a username (ignored by the server) and the actual destination is malicious-site.com. Many modern browsers strip or warn about this syntax, but it remains effective in email clients and some mobile apps.
• Embedded redirects - Legitimate redirect services and open redirect vulnerabilities on trusted domains allow attackers to craft URLs that start at a trusted domain but redirect to a malicious one. The URL https://trusted-site.com/redirect?url=https://evil-site.com begins at a trusted domain, potentially bypassing security filters, before redirecting the user to the attacker's page.

How Attackers Use URL Manipulation

Phishing campaigns combine multiple URL manipulation techniques with social engineering to maximize their success rate. A typical sophisticated attack might use a typosquatted domain with a subdomain mimicking the target brand, served over HTTPS with a legitimate certificate (freely available from Let's Encrypt), and delivered through a convincing email that creates urgency -- such as a fake security alert or account suspension notice. The attacker's landing page replicates the target website pixel-for-pixel, often using the real site's own assets loaded from CDNs, making visual detection virtually impossible.

Advanced attackers also employ transparent reverse proxies (tools like Evilginx2 and Modlishka) that sit between the victim and the real website, relaying all traffic in real time. The victim sees the genuine site content and even completes real authentication, while the proxy captures session cookies and credentials. Against these sophisticated attacks, URL inspection before clicking is one of the few effective defenses, because the URL will always point to the attacker's infrastructure rather than the legitimate domain.

Tips for Identifying Suspicious Links

Developing a habit of URL inspection before clicking can prevent the vast majority of phishing attacks. Follow these practices to evaluate links safely:

• Hover before clicking - On desktop devices, hover over any link to reveal the actual URL in the browser status bar or tooltip. Compare the displayed text with the actual destination. If they differ significantly, the link is likely deceptive.
• Read the domain right-to-left - Identify the registered domain by reading from the TLD leftward. In secure-login.paypal.com.verify-account.tk, the registered domain is verify-account.tk, not paypal.com. Everything to the left of the registered domain is subdomains controlled by the domain owner.
• Check for HTTPS - While HTTPS alone does not guarantee legitimacy (attackers use HTTPS too), the absence of HTTPS for any site requesting login credentials or personal information is a definitive red flag. Legitimate financial institutions, email providers, and major services always use HTTPS.
• Be suspicious of urgency - Phishing messages almost always create artificial urgency: "Your account will be suspended in 24 hours," "Unauthorized access detected," or "Verify your identity immediately." Legitimate organizations rarely communicate urgent security matters exclusively through email links.
• Use this analyzer - When in doubt about a link, paste it into this URL analyzer rather than clicking it. The tool will decompose the URL and identify suspicious patterns without ever visiting the destination. You can then make an informed decision about whether the link is trustworthy.
• Navigate directly - If you receive an email claiming to be from your bank, email provider, or any other service, do not click the link. Instead, open your browser and type the known URL directly, or use a saved bookmark. This completely bypasses any URL manipulation in the email.
• Inspect shortened URLs - Before clicking shortened links, use a URL expander service to reveal the full destination. Many URL shorteners offer preview features (e.g., adding a "+" to a bit.ly link) that show the destination without visiting it.