How to Check a Sketchy Link Without Clicking It

This article and all the articles I write show up on my blog first. Head over there for more Cybersecurity thoughts, tips and write-ups: https://spenceralessi.com

Let’s say you’re working through your dozens of emails, responding to clients or customers or business partners and you come across this one email from your bank informing you that you need to reset your password. This email comes completely out of the blue and to top it off you don’t recognize the senders email address. Do you click it?

Maybe…maybe not.

Did you know that you can investigate if that link is sketchy or not without clicking on it?

How to sniff out a sketchy link

When it comes to hyperlinks, sometime’s it’s really obvious it’s sketchy, but other times, in the case of look-a-like domains, it can actually be a bit tricky.

Here are a few things that make a link sketchy, when visibly looking at it.

Links that end in uncommon top level domains (TLD). Because the cost to purchase domains within these TLDs are pretty inexpensive, they are very frequently used for spamming and malicious activity. Aside from abc.xyz which is a web site owned by Google’s parent Alphabet I don’t know of any legit domains with these TLDs.

• Commonly used for spamming/nefarious activity: .xyz, .buzz, .live, .fit, .tk

Links that are knock-offs (known as look-a-like domains) of major brands. These are popular because the domain closely resembles that of real brands domains. Depending on how the URL looks in your browser and if you’re on a mobile device or on your computer, you may or may not be able to spot these very easily.

• Examples: netflix-mail[.]com, t-mogbile[.]com, googlre[.]com, secure-paypal.com.fraud.hmmmm[.]com

Note, these domains may or may not be valid at the time of you reading this

Links that contain random numbers and/or letters. These are pretty obvious. Not all are malicious, however, anytime I see a url like this I immediately get suspicious. It’s not a trustworthy link in my opinion and should be investigated further.

• Example: eqbqcguiwcymao[.]info

Checking a link without clicking

There is definitely no shortage of URL and website scanners out there. I’ve tried dozens of them. None of them seem as good to me as URLscan. It’s fast, extremely detailed, provides a live screenshot and it allows you to link out to other scans to check them as well.

URLScan - https://urlscan.io

My go-to move with any sketchy links is to pop them into URLScan and see what comes up. To do that, just head on over to https://urlscan.io. Then just simply copy and paste the link you want to scan into the scan field. Once there you can also click Options and make your scan Private, which sometimes is nice to do, since Public scans will show up on the front page and in searches.

Now that you have your link pasted in, click Scan! Once URLScan is finished checking our your link, doing it’s analysis and fingerprinting it will bring you to a results page that looks something like this.

Note, this is an example results page of a known malicious site.

1. Live Screenshot. This allows you to visibly see if there might be anything weird going on with the site. This is good for sniffing out things like misspelled words on login pages.

1. Google Safe Browsing rating. This is a nice quick view of if the website is safe or potentially nefarious.

1. Lookup the URL with other scanners. The lookup tab allows you to pick any of a number of other website scanners. This can help you glean additional information about the site you’re scanning in case you’re still not sure about it.

Caution when Clicking

It’s a bit cliche by now but, think before you click! It only takes a few minutes to pause, copy and paste the link into URLScan and check it out first before clicking.

If you’re at work and have an IT Department or Security Team, send it over to them and ask them to investigate it for you. It’s better to wait 10 minutes to get a link checked out than spend 10 weeks recovering from a security incident.

Additional Information

I did some googling on this topic and found some good articles related to suspcious and or malicious domains. The articles below go into much more detail on TLDs and their use for malicious or spammy activity. If you’re into the technical nitty gritty these would be great reads.

• Newly Registered Domains: Malicious Abuse by Bad Actors
• Most Suspicious TLDs Revealed by Blue Coat Systems
• Exploring .XYZ (Another Shady TLD Report)
• Why is there’s so much spam coming from .xyz and other new top-level domains?

IF YOU GOT VALUE PLEASE SHARE! :O)

 Twitter  Facebook  LinkedIn