Tech & Security, Made Simple.
Cybersecurity

Making Dangerous Links a Little Less Dangerous: A Quick Word on Defang-ing

Arvid Berndtsson

by Arvid Berndtsson

Making Dangerous Links a Little Less Dangerous: A Quick Word on Defang-ing
Photo by Pawan Sharma / Unsplash

Ever received an email, a chat message, or stumbled upon a link online that just made your internal alarm bells go off? You know, that link that looks a bit... off. Maybe there's a typo in the domain name, or it seems to lead to a place you definitely didn't intend to visit. Before you even think about clicking, copying, or sharing it – especially if you want to warn someone else or get a second opinion - there's a simple little trick we in the security biz use daily: defanging.

Sounds like something a snake handler might do, but it's actually a dead-simple technique to make potentially malicious URLs, IP addresses, or even email addresses a little less... bitey.

So, What's the Deal with Defang-ing?

In short, defanging is about modifying a text string, usually a URL, so it's no longer an active, clickable link. You're disarming it, so to speak. This is done so you can share and discuss potentially harmful strings without anyone accidentally clicking them and ending up in hot water. You wouldn't want your well-intentioned warning to lead to your colleague getting malware on their machine. A bit counterproductive, one might say.

Here are a few common examples of what it looks like:

• A normal, clickable link: http://www.shady-site.com/phishing-attempt

• The same link, "defanged": hxxp://www[.]shady-site[.]com/phishing-attempt

See the difference? http has become hxxp, and the periods . have been replaced with [.].

You can do the same with IP addresses:

• An IP address: 192.168.1.100

• Defanged IP address: 192[.]168[.]1[.]100

Or email addresses:

• An email address: [email protected]

• Defanged email address: scammer[at]example[dot]com

Why Should You Bother?

Primarily for security reasons, of course.

1. Reduces the risk of accidental clicks: This is the most obvious one. If the link isn't clickable, no one can click it by mistake. It happens to the best of us, trust me. Especially when you're juggling a hundred other things and maybe just quickly skimming a message.

2. Safe sharing of information: Those of us who work in security (and anyone else who's observant) often need to share suspicious links, IP addresses (so-called Indicators of Compromise, or IOCs) for analysis or warning. By "defanging" them, we can do so without spreading the threat itself.

3. Prevents automatic processing: Some programs and systems might automatically try to "visit" or look up links that are pasted in. Defanging helps prevent this from happening unintentionally.

It's a bit like handling a suspicious package with gloves, a simple precaution that can save a lot of headaches. I've probably encountered my fair share of dodgy links over the years (and yes, maybe scraped a bit more data than I should have sometimes in the pursuit of knowledge), and defanging is one of those small, almost trivial habits that actually makes a big difference.

How Do You Do It?

The beauty of it is that it's not rocket science. You've already seen the most common methods:

• Replace http:// with hxxp:// (or hXXp://)

• Replace https:// with hxxps:// (or hXXps://)

• Replace ftp:// with fxp://

• Replace periods . in domain names and IP addresses with [.] (e.g., example[.]com)

• For email addresses, replace @ with [at] and . with [dot] (e.g., user[at]domain[dot]com)

There are plenty of small tools and scripts online that can do this automatically if you're handling large volumes, but for individual links, it's lightning fast to do manually. The main thing is that the principle sticks.

In Conclusion

Defanging might not be the most glamorous part of cybersecurity, but it's a prime example of how small, conscious actions can strengthen our digital hygiene and security. It's about building security that works in everyday life, without the fuss. And who knows, the next time you see a suspicious link, maybe you'll think, "Ah, I should probably defang that before I send it on!"

It's a small trick, but it demonstrates an awareness and a security mindset that's worth its weight in gold. And that, my friends, is always a good start.

Here on arvid.tech, I share insights and cool stuff I find to make it all a bit clearer.

No spam, no sharing to third party. Only you and me.

Similar thoughts

A History of How We Name Hackers

Why is one hacker group called both FANCY BEAR & APT28? Different security companies use different names, which creates confusion. Here's a quick history of how we got into this mess and how the industry is finally starting to fix it.

When PyPI Becomes the Attack Vector: 39,000+ Downloads of Malicious Python Packages

Three Python packages made it onto PyPI, stole data, validated stolen credit cards, and were downloaded over 39,000 times. Here’s how they worked and what we can learn from it.

Free Document Converters - Now With Bonus Malware

The FBI warns that some free online converters are more than helpful; they hide malware, steal data, and sometimes drop ransomware.