Check Suspicious Links for Legitimacy – Observation, Tools

Why Check Suspicious Links

You receive Links / URLs and you are not sure about their legitimacy – this guide on “How to Check Suspicious Links” will help. It can be anything from a link by email or you saw some interesting service / campaign that might be of a value to you.

Basic Observation

1. When you navigate to the site / link and you receive a message about “this link / site has potentially harmful content” or something alike, this is a first sign not to continue. Usually, this message is from the browser itself. Like, red screen from Microsoft “SmartScreen” or Google Chrome “Safe Browsing” (got similar message). If you have an Antivirus, this can be a message from your Antivirus.

2. Check from the browser if the site has any certificate. In most browsers you will see a picture of a lock on the left of the address bar. If it is locked, then there is a certificate, you can click the lock for more details. If the lock is unlocked and has red cross over it – probably the certificate is outdated or missing.

3. Note the domain and subdomain of the URL. Usually, they make sense and they are not very long. If you see something like:

some-organization-name-payment-service-validation.sometotallyunrelateddomain.com

This is suspicious. If the main domain, in our case it is “sometotallyunrelateddomain.com”, is unrelated in any way to the subdomain, probably it’s been hacked and the attacker built this unconvincing subdomain.

4. Check the site / link for broken template, missing images, poorly written content, grammar mistakes, site errors. Not all of these are straight indication of a scam, but it adds the value.

5. Search in Google the company name, site name, anything that is unique content on the page. If the campaign / site is not new, you will see other users react on different platforms. If the site is malicious – you will definitely see it mentioned on security sites.

6. Do not trust the feedbacks on the site itself, even if it is on Youtube. Saw a link to Youtube video that advertised scam site – there were hundreds of different comments. Some comments were positive some neutral, but no negative. There were even copy / paste duplicates.

7. Check the payment method. Can you pay in PayPal / credit card? Are there some strange transaction methods? Are you paying in your local currency or any legit currency for that region?

Note: All the above signs are not always necessarily malicious, but several of them together raise the possibility.

Online Tools Can Help

Check the WHOIS of the site:
1. Navigate to DomainTools WHOIS Records.
2. Check the Dates of the domain – How old is the domain? When was it registered?
If it is available for couple of days, most likely it is malicious.
3. Check who is the Registrant – There may be some details regarding, that can tell you if it is malicious.
4. Go over all the details in WHOIS for suspicious entries.

Check suspicious links for phishing:
1. Navigate to CheckPhish by Bolster.
2. Paste your URL and [Scan].
3. Check the results.

Check suspicious links with VirusTotal:
1. Navigate to VirusTotal Search.
2. Try using [URL] or [SEARCH] options.
[URL] will give you reputation malicious check against several Antivirus and Reputation services. In addition, you will find the final resolving URL if there is a redirect, Headers, Trackers, Cookies, etc.
[Search] Option will give you more details about the domain and not the specific URL. If you do not get any results in Search – paste the domain name only. Here you will find Domain DNS records, HTTPS Certificate info, WHOIS and some Google Results. Check the [RELATIONS] tab for this domain relations to other sites / domains.
*** There are many features in VirusTotal that you will have to explore to understand what and where you can find. Pivoting through data available can help you a lot.

Central Ops Domain Dossier – This tool can show you comprehensive Domain or IP information (provider, WHOIS, DNS Records, etc.). This site has also several other online network tools.

Sucuri SiteCheck – Checks for malicious components on page and checks against known Reputation services.

Cisco Talos Intelligence – Reputation Check for IPs, domains, etc. from Cisco.

IPVoid IP Blacklist Check – As the name suggests shows IP reputation against around hundred services, ASN owner, reverse DNS, geolocation and many more.
IPVoid DNS Reputation Check – Reputation check for Domains against several reputation services. No “http” is required since the domain itself is checked.
IPVoid got many other helpful Online Network tools you can check.

Abuse IP DB Reputation Service – Another Reputation service for IPs and Domains.

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.