provocativo_
back to blog
#web-security#osint

Anatomy of a Phishing Link

Most phishing URLs aren't trying to fool a SOC engineer. They're trying to fool someone scrolling at 11pm on their phone, half-asleep, expecting an email from a courier or a bank. The attacker doesn't need a zero-day. They need three seconds of inattention.

Let's break down what to look at — without any tooling — and then automate it.

The four pieces of a URL that matter

new URL("https://amaz0n-login.security-update.click/verify?ref=ups")
// {
//   protocol: "https:",         // not a trust signal on its own anymore
//   hostname: "amaz0n-login.security-update.click",
//   pathname: "/verify",
//   searchParams: URLSearchParams { 'ref' => 'ups' }
// }

The interesting field is hostname. Read it right-to-left:

A user who only reads left-to-right sees "amaz0n-login" and trusts it. The actual domain is security-update.click, which has nothing to do with Amazon.

What to check before you click

  1. Hover, don't click. Read the hostname right-to-left.
  2. Is the TLD weird? .click, .xyz, .top — be suspicious.
  3. Punycode? xn-- prefix = Unicode hostname. xn--80ak6aa92e.com looks like apple.com. Browsers usually warn, but not always.
  4. Redirect chain. Click in a sandbox — does the URL bounce 3 times? Each hop is an opportunity to launder reputation.
  5. Cert age. A 4-day-old Let's Encrypt cert on a "bank" page is loud.

Automate it

This is exactly the kind of repetitive check that gets done badly under time pressure — which is why Provocativo ships the Link Analyzer: paste a URL, get verdict, redirect chain, SSL posture, and domain age in one screen. URLScan.io and VirusTotal under the hood, free engines first, paid engines if you wire up API keys.

The point isn't to remove human judgment — it's to make the boring half automatic so judgment can focus on the parts machines miss.