We all receive emails with URL links in them. It has become increasingly impossible to tell if a URL link is malicious or not. I will introduce some tools and techniques to make sure you understand how to test URL links for yourself. I will be using three different tools, VirusTotal, Any.Run, and URLScan.io.
WARNING: When checking any URL, file, or file hash on these tools, know that it will be made public. Make sure there is no Personally Identifiable Information (PII) that you don’t want made public. It can be taken off the website, but it is a lengthy process.
There is one more note to make. That even if something doesn’t show alerts, doesn’t mean it is not malicious. It could still be malicious even if there is no alerts, this is why you have to compare results between different tools. Be vigilant, and suspicious of everything when dealing with cybersecurity incidents surrounding URLs.
The first tool I would like to introduce you too, is VirusTotal. It is the most used websites by cybersecurity responders and vendors. When you get to the main website (https://www.virustotal.com/) you can see a few different options.
You can test files, URL links or file hashes to compare against a database. You get additional features when you sign up to use a VirusTotal account. With an account you can automate some processes using their API.
This will be your bread and butter when checking URL links, files, and file hashes. Let’s go ahead and test a website URL.
First when we submit the link you will notice how many Antiviruses and EDR solutions rate the website. The information is pulled from those vendors and compares them to each other to give you a clear view of what you are looking at.
Next, check the Details, Links, and Community tabs. Those give you so much useful information on what it is. Specifically, the Community section. There are sometime really helpful notes and comments from the community at large.
Next tool you will want to use is Any.Run. https://any.run/ is a sandboxing tool that is used by many infosec/cybersecurity professionals and continues to be imperative to helping responders on the frontlines. It will not only allow you to open a webpage, but interact with it through the sandbox environment. It will also show you what the webpage is doing, and what it downloads, or redirects to.
Some website will try to steal credentials, in this case you can clearly see it is going to a fake Microsoft login page, to try and write information to a local, or external source. This is how credential harvesting happens, and how organizations get hacked. These are important to recognize because if someone clicks on these, they don’t appear harmful. It is only when someone inputs their credentials that it becomes a huge problem. The rule I follow is, “If the click a link, they will get their password reset.”
Notice at the bottom of the image, they show Requests, connections, DNS requests and threats. These will indicate if there is an issue with the file, or webpage that is trying to be accessed.
Finally, we will take a look at URLScan.io. https://urlscan.io/ is a website that provides a different type of sandboxing.
With this, you simply input the URL and see if it is malicious from the activity. The website can mention how malicious it is, but not always… An example is credential stealing. Lets take a look at the first website.
Just at the first glance, we can tell from the statement “Malicious Activity!” that it is a malicious website. Looking at the screenshot we can verify that it is a fake netflix account trying to steal credentials.
However this second website is not deemed as malicious, but is doing the something suspicious. It is asking the user to sign in with a work or school account for Microsoft. It seems extremely suspicious, but not confirmed malicious.
These websites can still be malicious, it’s just not widely known, so you still have to do your due diligence and look to the other sources (Any.Run, and VirusTotal) for more information on those websites.