How to check if a link is safe!

I am proud of myself that I have educated at least one person regarding cyber risks: when my mother-in-law saw a Covid-19 related WhatsApp post asking her to click a site, she called me and asked if it is ok to click that link!

Seeing as how you probably do not have your friendly neighbourhood cybersecurity expert on speed dial, let us see how you can check a link to see if it is safe enough to click. You might still get infected but at least you did your due diligence.

I should not have to say this, but … it makes no sense to click that link to “see what happens”. Read this link to understand all the bad things that can happen if you do!

What to do & Why

There is a smell test that uses common sense to validate a link or a URL; and then, if the URL passes that, there is the technical method. If the link does not pass the smell test there is absolutely no benefit to clicking on it.

1.     Extracting the underlying URL

The most common vector for introducing malware into a computer is by getting people to click on a link. And that link can be delivered to the target in multiple ways: Email, Spam, direct messaging like WhatsApp, etc. (Earlier, the preferred vector used to be attachments.)

All these links will eventually lead you to a PHP landing page and bad things will happen to you once you get there. Your task, then, is to figure out if a link is malicious or not, before you click on it.

The steps you could follow are given below.

1.  Copy the shortened URL in the mail or message by right clicking the link or hovering over it on a phone. (Do not click it)

2.  Go to https://www.expandurl.net/ and see what that URL expands into

3.  Typically, it will show you the expanded URL (with a .com or .co.in type of top level domain (TLD) at the end.) It will also give a quick opinion on the safety of that URL)

Now you have the expanded URL. It is time to do the smell test.

2.     The Smell Test

The smell test is more correctly called a visual test. Here, you examine the URL to spot any obvious clues to it being bad. Again, the going in position is that any URL is suspect unless proved otherwise!

1.  If the source is email that is from someone in your organization, pause a bit and think if you expected to receive that kind of email at that time from that person. If not, treat the link as suspicious.

2.  First, does the expanded URL look like something you were expecting to see? For example if you clicked a link that purports to be about “COVID-19 Vaccine” and the URL expands to "hxxps://recoverrryasitalycovid-19.xyz/over” then it is probably suspect. You should not click on it.

3.  On the other hand, let us say that you are in Italy and you are indeed looking for COVID-19 information, that URL might pass muster at first glance. However, look at it closer: “recovery” in the URL has a couple of extra ‘r’s.

A look-alike URL is an extremely common way to entice innocents into clicking a URL. In the same vein, perpetrators use a lower case “L” instead of “I” in a name or a zero instead of an O. 

If you spot a look-alike URL, then, obviously, that site is probably up to no good.

4.  Another common way to fool the target is to use a plausible TLD instead of the original TLD, like using “xxx.in” instead of “xxx.io”. Lookout for that too.

5.  Copy the URL and go to https://www.whois.com/whois/. That will tell you who has registered that specific domain and when. That should also give you an indication if it looks like a genuine site. It is highly unlikely that a URL from Citibank will be registered to Relic.com three months ago.

3.     The Tech Test

If the link passes the smell test and you are still not sure if it is benign, you need to roll up your sleeves and use to a series of link checkers. 

(Please understand that you are in uncharted territory here. The URL checkers below are by no means exhaustive or comprehensive. They cannot be.)

1.  Check that the URL resolved has an “https://” in the beginning. Most browsers will warn you of this.

2.  Ensure you have a good anti-virus installed on your device. And ensure that it is updated regularly.

3.  Check the URL on Google Transparency report https://transparencyreport.google.com/safe-browsing/search Typically, bad URLs are flagged here.

4.  Use a URL checker service to investigate the URL itself. A few good sites for reputation checks are listed below.

a.  Virus Total

b.  URLVoid, / API Void/ IPVoid:

c.  ScanURL

d.  URL/IP Lookup 

e.  PSAFE etc.

It is important to check multiple services to get a good picture.

Let us say you do all that and the URL passes. You really want to click on that link: You have to know why only you do not get the promised COVID aid from the government!

The best (and first) recourse in that case is to use a different channel (voice phone if it is on email; email if the link was thru WhatsApp etc.) and contact the sender to find out if (a) they did indeed send the link and (b) the contents of the link are of interest to you.

Take a deep breath and then click on that URL if you must.

4.     The Taste Test 

After you actually click on that link and you land on the page that it sends you to, you still need to be alert.

(Edit: One reader, Mr. Chella Pallaniappan, had a suggestion to use a sandbox to do this. This is an excellent idea; it makes excellent sense to use a sandbox to test out a link.

SandboxLinks

• Windows Sandbox
• Apple Sandbox for the MacOS.
• Creating an Ubuntu sandbox is a bit more involved but the average Ubuntu user should be comfortable with it.
• On android devices too, there are ways to create sandboxes. I have not used these.
• I understand creating a sandbox on IOS for iPhone is a bit more tricky. Apple claims all applications are installed in a temporary sandbox. )

1.  You should watch out that you are not being re-directed to another site than what you are thinking you are going to.

Conversely, you should also validate that you are indeed on the site that you think you are on. Some financial sites have some means of identifying this but it is quite difficult for other kind of sites.

2.  Be careful and suspicious of any site that asks for too many credentials or asks for information that should already be available with it.

3.  If you are doing money transactions of any kind, whether you think you are sending or receiving money, it is best not to use links that came on a channel. It is undoubtedly convenient to use a payment link but it is better to get to the payment link from a known good site.

If you do all that and if you still do get infected, the article linked in the beginning of this post also has some tips on what you should do.

Good luck!