← Lab
Lab · Instrument 07

Phishing URL inspector

Almost every phishing attack turns on one thing: making a link look like it goes somewhere it doesn’t. Paste a URL and this pulls it apart to show where it truly points, and flags the specific tricks used to disguise it — no fetch, all in your browser.

How it works

The one thing that decides where a link goes is the registrable domain — roughly, the name plus its public suffix (example.com, example.co.uk). Everything else is decoration the domain’s owner controls: any subdomain (secure-paypal.evil.com), any path (evil.com/paypal.com/login), any brand name dropped in to reassure you. The inspector isolates the registrable domain and highlights it, because reading that — not the reassuring words around it — is the whole skill.

On top of that it checks the classic disguises: homoglyph and punycode lookalikes (a Cyrillic а standing in for a Latin a, or an xn-- internationalised domain); brand impersonation where a trusted name sits in the subdomain or path but the real domain is something else; typosquats a character or two away from a known brand (measured with edit distance); the userinfo “@” trick, where everything before an @ is ignored by the browser; raw-IP hosts, abused TLDs, URL shorteners, and urgency wording.

The honest limits: it reasons about the string only — it never requests the URL, so it can’t follow a shortener’s redirect or judge what the page actually does, and its registrable-domain logic uses a compact suffix list rather than the full Public Suffix List. It’s a fast structural gut-check, not a sandbox. The instinct it’s meant to build — find the real domain first — is the one that stops most phishing cold.