[Sephr]

Clicking on a 'phishing' link can't hurt, and it's not like this person's website is ever going to be presented to you in a sensitive context (e.g. "download/install software from this site"). You should trust that your browser is secure enough to render random webpages.

Excuse the self-promotion, but I take it that you're also too wary to click on this link to read my blog: https://dangerous.link/virus.exe

[nkrisc]

Any URL on the web could host a browser exploit that requires no interaction beyond visiting, but if I had to guess which one were most likely to, I'd put phishing links up there.

> You should trust that your browser is secure enough to render random webpages.

I honestly don't. Is dangerous.link/virus.exe any more dangerous than nytimes.com? Probably not. However if some 0-day, no interaction browser exploit does exist, it's easier to put the exploit on the some lookalike phishing domain rather than additionally exploit some mainstream site.

Of course I can't possibly know what URLs are "safe" to click on and which ones aren't, but I'm going to guess that URLs that look like they're intended for a phishing campaign are less likely to be safe than any other.

If your blog is go0gle-com.net, and someone emails or messages it to me, I'm not clicking on it and deleting the message.

Most often what happens is I click some sketchy looking link on my phone and it attempts to hijack the browser with popups and history modifications and whatever other shit they do to let me know my Android iPhone is infected and must be cleaned immediately.

[macrolime]

>However if some 0-day, no interaction browser exploit does exist, it's easier to put the exploit on the some lookalike phishing domain rather than additionally exploit some mainstream site.

If you read through stuff like the security updates for new iOS version it becomes clear that this does exist at all times. Usually most of them are likely not even not found by attackers before they're fixed, but you can never be sure. Every browser has innumerable undiscovered vulnerabilities that at any time could be discovered and exploited by an attacker. Discovering this is hard and they don't show up all that often, but you never know, even some random ad could pwn you.

[nkrisc]

Exactly, which is why I don’t assume my browser is secure. I could get pwned by an ad on a trustworthy site, but there’s not much I can do about that so I take that risk. Visiting sketchy URLs is a risk I can choose not to take.

[waboremo]

Your link is actually a great example. It's readable, you know what each part of the link is for (unless you're tech illiterate in which case just the readable quality is enough). And so by clicking it, I know I'll probably head to some page called Dangerous to see virus.exe.

Contrast that to a link like "password-man-comp.tool.win". Which at first glance can be confusing to most where the TLD is and where the subdomain is. Or like the above person's tool. Either go with something readable, even if long, or go with something short and clever. Combining both winds up looking suspicious to most people.

Which I guess is the funny part, the ones most harmed by a badly named website/link are genuine people wanting to provide a service to others, whereas malicious actors will likely use more effective (and less easily blocked) means of phishing.