I Came, I Saw, I Clicked

Quite often, people receive unsolicited and rather dubious emails which contain links which they are curious to click. Some would follow such links, blissfully unaware that they may be exposing their computers to unnecessary security risks. Others understand the possible implications of following such links, but still do it. Others still, seem to have come up with the assumption that clicking on the link is inherently more dangerous than copying the link, and then pasting it in the browser’s address bar, and pushing the enter button, hence, they do the “safer” thing. The following article attempts to explain why this might not necessarily be true.

You may be aware that web pages are written with a combination of different languages, but mostly, what you see in your browser (as you read a web page for instance) is mostly HTML, CSS and Javascript together with images thrown in here and there.

HTML takes care of the content (that is, web pages are encoded as HTML), CSS takes care of the visual appearance (if you see bold text, it was made bold using a CSS command. If you see green text, it was made green using a CSS command).

Javascript does other, often under the hood things which will not be easy to explain in a few paragraphs, but if you use Facebook for instance, you depend on javascript a lot. Javascript is what processes your comments and makes them show up on the page so quickly without loading a new page.

Now, in HTML, there is one way of specifying text that a user can click on, and cause it to load a new page, or do something similar. This is called a link (or hyperlink). Links are made with the "A" tag. (In HTML, a tag is the rough equivalent of a command). To make a link, you are required to supply an address of the resource that the link is supposed to load. This is called the "href". You are also required to supply a title for this link. This is called the "title". The title makes it possible for you to have links such as the one in your email box that says "inbox". Your inbox cannot simply be a resource called "inbox". The href for that "inbox" link will most likely be a long and complicated string containing lots of information in it, the title is used to give it a human-readable form.

If the href of the link is uncomplicated, you may have both the title and the href to be identical. For instance, if you were reading this article off a computer screen, and you saw a link that simply said “http://www.yahoo.com”, then that would be a link whose href and title are identical. If on the other hand you saw something like click here to go to Yahoo.com, then that would be a link whose title and href were different.

Now, there is a subtle complication here. There are two ways to copy a link. You may copy the "href", or you may copy the "title". If the two are identical, then there is no difference. If they are different, then it is likely that the "title" will be an invalid web address, which makes it useless for copying and pasting in your browser’s address bar (it will not work).

If you right-click a link, and say "copy link" or similar, you are copying the "href". If you paste this in a browser, and click "Go", then it makes no difference whether you clicked on it or copy-pasted it. You have activated it. If on the other hand, you highlight the link (as you would highlight text in Microsoft word) and then right-click the highlighted text and say "copy", then you have copied the title. And as I said earlier, if it is different from the "href", then you might get an error if you attempt to open it in a browser, or it could do something entirely different. It strictly depends on what the title is, and how the browser interprets it.

Links can also have some javascript code executed when they are clicked, something which won’t happen in the copy-paste instance, but within the confines of a link inside an email, it is highly unlikely that javascript code will be allowable.

Clicking, or otherwise activating the link causes the resource idenfied by the href to be retrieved, and processed. Processing malicious data can cause whatever evil action its creator had in mind. And the resource will get retrieved, whether you clicked on the link, or copy-pasted it. This is why it really makes no difference how you activate a link in an email.

At this point, you might be thinking that if someone is posting a link to a malicious resource, then they will probably make the title of the link look benign, but underneath that title will be hidden an obviously dangerous href. This will be true if you’re dealing with a simple-minded and clueless villain. You see, nothing requires an attacker to name an evil resource in a manner that could give clues as to the true purpose of that resource. When you type a document in MS Word for instance, you click “save” and are given the option to name the file however you please. You could call that file “report” because that is your monthly report you just finished typing. Or you could call it “virus”, just to be mischievous. There’s nothing in your way. Attachers have the same freedom.

If I were an attacker, and I created a small program that installs itself on your PC at the first opportunity, emails me, and then sits there waiting for further commands from me, I could embed such a program in a website that has nothing at all to do with Zombie PCs (that’s what you call a PC that has been infected with the sort of program I just described). Say I embed this program at http://www.medicinewatchers.com/dangerous-antipyretic , then I would not need to disguise the link. As far as a casual user would know, he just got an email warning him about a killer antipyretic drug, and that link would take him to where he would read more about this drug. Clicking or copy-pasting this link would make no difference.

This explanation intentionally leaves out some detail, but it is not as bleak as you might imagine. Since computers are very nit-picky devices, they will only process stuff that was meant for their specific kind of hardware, and kind of software. It is mostly about software though. By "kind", i mean something in the sense of "Windows Vista", "Windows XP", "Apple’s Mac OSx", "Nokia’s Symbian", "Canonical’s Ubuntu" etc, and the type of browser "Internet Explorer 5, 6, 7 or 8", "Mozilla Firefox 1, 2, 3 or 3.5", "Opera Browser" etcetera, or even email clients like “Outlook” or “Thunderbird”.

A malicious resource could be disastrous for a PC running Windows Vista, which happens to be processing the resource using Internet Explorer 7, while being completely benign for a system running Windows XP, and processing the same resource using Mozilla Firefox 3.

Malicious payloads work by exploiting weaknesses in specific configurations, and they succeed by targeting the most popular configurations. There is a rather useful side-effect of this fact: You will be slightly safer if you use unpopular configurations.

In general, it is safer to keep your computer and any anti-virus software you have up to date, and avoid going clickety clack on anything you suspect to be a hoax. Even more importantly, make sure you read the text in any dialogue boxes that pop up, before saying “yes” to them.

pic
Random quote: Do not handicap your children by making their lives easy. — Robert Heinlein

Leave a Reply