One of the most common tips you hear in regard to security is to not click links, but how malicious can a link be in this day and age? In this article I’ll discuss the risks I see and what impact they may have, to initiate a discussion about these risks.

The thing about the internet today is that everything is links, and many sites such as twitter and bit.ly use link shortening to track usage and hide the original address. This makes it hard to know beforehand if the link is legit, and thus might increase the risk, but the impact will be the same. Here are four risks that I see when clicking a link.

  1. The most obvious risk is phishing. An attacker can create a serious looking website with the aim to trick a victim to enter sensitive information such as passwords or credit card information. This would allow the attacker to use the stolen information to either sign into the compromised account, or pay with the credit card. However, these attacks are not performed when you click the link, but rather when you enter the information on the site, meaning that this does not qualify as a risk of clicking a link.
  2. There are a few different attacks, for example clickjacking or cross-site request forgery, that targets a website through a victim browsing a third-party website. These attacks allow the culprit to perform actions as a victim on the target site. Instead of infecting the computer of the victim these attacks exploit a vulnerability in the target site to perform actions as the victim.
  3. A reflected Cross-Site Scripting attack, also known as an XSS would exploit a vulnerability in a website to perform actions against that website as a victim. The impact is about the same as explained in 2, but the difference is that a legitimate URL to the target site is sent to the victim. To detect this risk, look for html tags such as <script> in the URL. Like the previous attacks, these attacks cannot infect the computer of the victim, but instead performs actions on the target site.
  4. The most serious risk discussed is vulnerabilities found in the victim’s web browser. These can allow an attacker to compromise the computer to install malicious software such as spy- or ransomware. The best way to protect oneself from vulnerabilities in the browser is to keep it up to date. Most modern browsers are good at fixing bugs as fast as they become known. There is still a small risk that an unknown (aka 0-day) bug is used. However, these bugs are often used in attacks against high profile targets by well-funded hackers.

In conclusion, there are still risks with clicking links, but they are not as severe for your computer as they once were. I would say that today it is more important to ensure that your software is updated, that you do not enter information to sites you do not trust, and that you use long and unique passwords for accounts. Lastly, if you notice any strange behaviour on an account on a website you use, change your password and notify the owner of the site.