I always say that URL is a dangerous piece of weapon for cyber crooks. It can be manipulated from the look of a fierce tiger into a look of a cute looking cat. Which means, they can hide the malicious URL and modify the look of the outside like a very innocent URL.
If you had been following my blog, I had written two series so far and one of them is the URL investigation and prevention series. I found myself talking too much about how to prevent and now, I would like to personally demonstrate to you on how I analyze a piece of fake email from Facebook which consists malicious URL.
On one fine day, I received an email from Facebook which tells me that I have a warning message. Inside the email, it has many links that requested me to click on them to get rid of my warning messages. The email looks something like below.
Notice that there are 4 links in the email and all of them linked to one same page. What? You really think it is linking to Facebook page? Whatever links that you click, it will only lead you to “www[dot]welmas[dot]ae/derails[dot]html”. Kindly do not visit that page.
In my series on how to investigate the URL, you can possibly land on two types of pages. One is a phishing page where the hacker will steal your Facebook login username and password from that page. Second is a malicious page where it contains Malware like Virus, Trojan or Worm. Question is, what type of page does this belongs to?
I have to say that I love Virus Total a lot. This site can help me judge whether a piece of URL or file is malicious or not. So I send the URL over to that site for a scan and below is the scan result found.
Two top antivirus detected that that URL leads to a malicious site. Others reported as Clean Site while one unable to rate the site. This is not the end of Virus Total as the next thing that they are going to do is to automatically take the HTML file and drop it into 43 antivirus for a scan. Below is the result.
You can see now that there are total of 11 out of 43 antivirus detected that piece of HTML contains Malware. Those top antivirus includes BitDefender, Comodo, Kaspersky, NOD32, and TrendMicro. I’m sure that with these big brands telling you that it is a Malware, it is going to be pretty convincing.With the analysis from Virus Total, I can now tell that this site is a malicious site.
It is very important that we do not click any URL in a rush. All URL especially from email and IM need to be properly analyzed whether it is from Facebook, Twitter or LinkedIn. I had already written a guide on how to deal with URL in my series and showed a real life example on how to deal with it. Do take a revision back on that series and join my Facebook page to let me update you on the latest threats around.