About

The Malicious Link Detector is a client-side heuristic analysis engine designed to deconstruct and evaluate Uniform Resource Locators (URLs) for security threats. Unlike basic scanners that rely solely on blacklists, this tool performs deep structural analysis to identify Typosquatting (e.g., g0ogle.com), Homoglyph Attacks (using non-Latin characters to mimic legitimate letters), and high-entropy obfuscation often used in Domain Generation Algorithms (DGAs).

Phishing attacks account for over 80% of reported security incidents. Attackers often utilize URL Shorteners or Open Redirects to mask their final destination. This tool dissects the URL into its atomic components - Scheme, Authority, Path, and Query - to expose hidden risks, unencrypted connections, and suspicious Top-Level Domains (TLDs). It provides a granular risk score based on weighted vectors of suspicion, ensuring users can verify links from emails or SMS before establishing a connection.

Formulas

The scanner employs Shannon Entropy to detect random, machine-generated subdomains (DGA). The entropy H of a string S is calculated as:

H (S) = - n \sum i=1 p i log 2 (p i)

Where p_i is the probability of character i appearing in the string. High entropy values (> 4.5) often indicate non-human readable strings.

Typosquatting Detection utilizes the Levenshtein Distance algorithm to measure the edit distance between the input domain a and a target popular domain b (e.g., 'google').

{

match if lev(a, b) ≤ 2safe otherwise

Reference Data

Indicator	Risk Level	Description
Homoglyph (IDN)	CRITICAL	Use of Cyrillic/Greek characters that visually resemble Latin (e.g., "a" vs 'а').
IP Hostname	HIGH	Direct IP usage (e.g., 192.168.1.1) instead of a domain name is rare for legitimate public services.
@ Symbol (Auth)	HIGH	Used to obscure the true domain (e.g., `user:[email protected]`). Browsers may ignore text before "@".
Risky TLD	MEDIUM	TLDs like .zip, .country, .gq are statistically higher in abuse rates than .com or .org.
Deep Subdomains	MEDIUM	Excessive nesting (e.g., `paypal.verify.secure.com`) attempts to push the actual domain off-screen on mobile.
HTTP Scheme	MEDIUM	Lack of SSL/TLS encryption. Data is transmitted in cleartext.

Frequently Asked Questions

URL shorteners mask the final destination, preventing you from verifying the target domain before clicking. Phishers rely on this blindness. Always expand short links using a server-side unshortener or treat them with caution.

No security tool offers 100% guarantees. A "Safe" rating means the URL structure passes heuristic checks and doesn't match known static patterns. However, a legitimate hacked website hosting malware will still look structurally "Safe". Always verify the source.

A homoglyph attack uses characters from different scripts (like Cyrillic "а" vs Latin 'a') that look identical to the naked eye but are treated as different destinations by computers. This tool detects International Domain Names (IDN) specifically to prevent this.

Modern browser security policies (CORS) prevent client-side JavaScript from silently following redirects on external domains. To trace a redirect path fully, the request must originate from a backend server, not a browser.