30

Over the last few weeks, I've gotten several spam emails from different friends that only contained links to different websites.

I would like to click on those links and see what's on the website. My reasons are curiosity, the ability to understand how dangerous the website might be, and to differentiate between a product-spam email ("Buy product XYZ!") and a website that tries to do something dangerous to a computer.

I do not intend to use a production system, a system with my personal data on it, or something I am not willing to lose in the process; I am really just curious.

So what measures would I need to take in order to safely1 click on those links?

My ideas so far are:

Footnotes:

  1. I am almost certain that there is no way to really safely click those links, so maybe this should be called "minimize the risk when you..."
  2. I am aware that disabling stuff might not give me a complete and real picture of the website, since I might not experience the intended effect and think "It's safe."
jwodder
  • 166
  • 1
  • 6
hamena314
  • 2,037
  • 1
  • 17
  • 23
  • 6
    One of my favorites is to copy the url into VirusTotal's web scanner. This is a Google service found at https://www.virustotal.com/. This helps you to figure out what you are dealing with. Note that a clean reading does not mean that the site is clean. – AstroDan Mar 17 '16 at 14:09
  • 1
    I like your ideas so far, and expanded on different things if you want to see how deep the rabbit hole goes. – Mark Buffalo Mar 17 '16 at 14:37
  • 3
    If you're doing it simply for the sake of being able to study the potentially dangerous site, why not just paste the URL after a view-source: on chrome, save the html, disconnect the device from your network, and view it as a local html file? – WorseDoughnut Mar 17 '16 at 15:19
  • @WorseDoughnut: Mark Buffalo suggest this approach in his answer and adds an important part about the use of a VPN. Also the view-source: works on Firefox too, so it's not browser dependend. But still, a good starting point I guess. – hamena314 Mar 17 '16 at 15:23
  • 1
    @WorseDoughnut: Also is there a possibility of a self-contained virus in HTML, that does not need to load something from the internet, but still can do damage? – hamena314 Mar 17 '16 at 15:28
  • @hamena314 I'm not entirely sure if HTML has that capability locally. I can't imagine it being able to do much damage if it can't access its style-sheet or files from it's host though. – WorseDoughnut Mar 17 '16 at 16:31
  • 1
    Use curl? https://curl.haxx.se/ – Petah Mar 18 '16 at 00:03
  • Does this TB addon do what you are looking for? https://addons.mozilla.org/en-US/thunderbird/addon/secondopinion/, you can find it on Github too https://github.com/thsmi/SecondOpinion – pureooze Mar 18 '16 at 02:42
  • I always use http://unfurlr.com/ – Chloe Mar 18 '16 at 05:21
  • 2
    @WorseDoughnut JavaScript can be embedded in HTML with the <script> tag, so that's a bad idea. I'm surprised no one has suggested using curl and viewing in your favorite editor, similar to view-source. – Brian McCutchon Mar 18 '16 at 05:46
  • To help you get an appropriate answer, are you at ease reading E-mail source? Which software do you use to manage your E-mail? Are you at ease reading HTML and detecting things like: https://www.m¡crosoft.com? – dan Mar 18 '16 at 10:18
  • @danielAzuelos: I'm using Thunderbird and have HTML deactivated. I see all emails as plain text. The attack with different symbols might still be valid tough, as I cant distinguish Il1|...(capital I, small l, one [in some fonts / programs the one only has 1 stroke] and a pipe) visually with 100% certainty. EDIT: Fun fact - the font of the security.stackexchange editor and the markup seem to use different fonts, since the capital i in the editor only has 1 stroke and no serifs) – hamena314 Mar 18 '16 at 10:53
  • So you are already pretty well armed against the bad and the evil :). I don't have a magic trick to sell you, you have to be vigilant, read as carefully as you can any URL first component for evident fake, hacked or typosquatted servers. To limit impact of typosquatting, use a choosen and enforced font with serifs (so as to avoid Arial, Helvetica which are the favourite ones of criminal hunting on this mines field). – dan Mar 18 '16 at 15:59
  • @Petah My first thought is to use curl in order to get an idea what would come back. I suppose though that you'd have to know exactly what headers would come over on the request in order to be sure you are getting what the browser would. I suppose there is also the chance someone has a curl-targeted exploit. This is probably unlikely aside from a spear-phishing attack on someone known to check suspicious urls with curl. – JimmyJames Mar 18 '16 at 16:39
  • My favorite tool is http://urlquery.net - it can even detect bad things, and gives you a nice overview og loaded content + screenshot. – Dog eat cat world Mar 18 '16 at 19:36

6 Answers6

33

VPN Virtual Machine View-Source for those who know Javascript

[Tinfoil Hat (Mythic Warforged)] here.

If you are handy with Javascript and the like, I've always appreciated view-source:http://www.webaddress.com/ from the URL bar. For added tinfoil, do it behind a VPN, and a Virtual Machine.

The VPN is necessary just in case the attacker expects you to visit personally from your actual IP address. Your access attempt will show up in the visitor logs, but if they just get a random VPN, then Ho Ho Howned.

And the Virtual Machine is, of course, there to prevent strange attacks against the view-source page, which may or may not exist. Will not help against VM-escaping thingmabobs. Alternatively, you can programmatically open a socket connection (be wary of vulnerabilities in your chosen language) while behind a VPN, and use GET /page.html HTTP/1.0 to grab the HTML page, and then do the same for accompanying Javascript.

Look for funny things like zzz.saveToFile(), which usually indicate a drive-by download attempt. Same with intentionally obfuscated Javascript; it should not be trusted. Keep in mind that Minification and obfuscation are two different things.

Developer Console Watching (F12)

If you are handy with web development, and you want to see exactly what kind of odd funkiness is going on without having to completely follow the script line-by-line, then you can monitor changes as they happen with the developer console. This allows you to load the results of off-site/off-page Javascript that is generated dynamically.

Temporary Folder Watching

This is assuming you're behind a virtual machine. Obviously, you would not want to try this on your main machine.

Don't forget your temporary folder, which is usually %TEMP%. With drive-by downloads, they usually start saving executables to %TEMP%. You can see if such a thing occurs when you visit a page. They can be saved as .tmp files, which are later renamed to .exe. This is usually discovered by a function that looks like x.saveToFile()

Reset your Virtual Machine when you're done

Don't forget to reset your VM's state/snapshoot afterwards. You don't want to be infected long-term.

Community
  • 1
Mark Buffalo
  • 22,608
  • 8
  • 75
  • 91
  • 3
    Make sure to send different browser identifiers with your HTTP requests and analyze the differences to see if only specific browser instances may be targeted, though. – Tobi Nary Mar 17 '16 at 14:26
  • @SmokeDispenser Good catch. – Mark Buffalo Mar 17 '16 at 14:33
  • How strong do I have to consider VM-escaping? Because I've read a bit about this and found that some cases exist, but are very rare. – hamena314 Mar 17 '16 at 15:16
  • Oh and is view-source: "safe"? I would think that the sourcecode simply does not get parsed and therefore nothing bad should happen? – hamena314 Mar 17 '16 at 15:25
  • 1
    VPN escaping is rare, but it depends on how valuable a target you are. If you're a valuable target, spending $80k on a Virtual Machine escape exploit will be no problem. Now if there's a zero day in the wild, and some random person discovers it, and they want to try it against you, there's little stopping them from trying. Succeeding is a different story altogether. It all depends on the platform(s), how valuable you are as a target, and various other reasons. – Mark Buffalo Mar 17 '16 at 15:30
  • 3
    Regarding view-source: it is generally safe, but with arbitrary input, you can never be too sure. Often times, weird, obscure and novel things can happen to seemingly everyday programs. This is just a tinfoil measure. – Mark Buffalo Mar 17 '16 at 15:32
  • 1
    @Downvoter Did I say something incorrect? Feel free to comment if I missed something. – Mark Buffalo Mar 17 '16 at 17:31
  • 4
    AFAIK, WebRTC methods to identify you (STUN attacks, etc) don't show in the console, so ensure WebRTC is disabled in your browser settings. – hd. Mar 17 '16 at 17:59
  • @hd. Very good catch. – Mark Buffalo Mar 17 '16 at 18:06
  • Using a VM is one of my favorite "easy" tricks. I was not aware of the URL bar Javascript trick; will definitely be trying it out going forward. As always, good answer. – Brad Bouchard Mar 17 '16 at 21:19
23

The other answers cover the threats to your computer quite well. However there is a further threat that was not covered. It is possible that URL's are unique to each recipient, allowing the hacker to identify emails that are:

  1. Active
  2. Susceptible to social engineering (clicked a link from a friend)
  3. Not necessarily Computer Security savvy (clicked a link from a friend)

Once the attacker has this data they have significantly narrowed the target list, allowing the follow up actions to be targeted and to avoid expending resources on inactive\ hard targets.

In this case the web pages may not be evil (but always assume that they are). They many only exist to detect that the link was clicked.

AstroDan
  • 2,238
  • 15
  • 25
6

Suggestion would be:

  • Buy a cheap laptop
  • Rip out the disk and graphics card
  • Run OS from DVD (possibly special customized for your needs)
  • Connect on an internet connection that share no other devices* Use VPN service and set your own DNS servers for decent anonymity**

With no disk space and no graphics card it is hard, yet not impossible to corrupt your system.

Every time you reboot the computer, its clean the way you set it up on the DVD.

If you want to get paranoid for real, you can also every time insert a BIOS flash-utility DVD and restore your BIOS.

Nothing is ever 100% though. Unless you automate the process, the biggest fail point is that you will do it wrong number x'th time.

*Do not forget your mobile phone, your smart-TV, your nanny-cam etc if you have an LAN. I'd go cable and skip all wi-fi.

**Point here is that you do not want someone connecting your email address with your IP + True Identity. But that is a bigger issue.

Simply G.
  • 518
  • 3
  • 12
  • 2
    How bout a VM instead of a laptop? Just as secure, reusable with nearly no effort, 0 costs... –  Mar 17 '16 at 14:48
  • 2
    I think, some malicious stuff can escape the VM and infect your machine, which happens very rarily, but the chance is not 0%. – hamena314 Mar 17 '16 at 15:08
  • 4
    @hamena314 VM escapes are pretty rare, but can be a threat. One trick is to run the VM inside a VM of a different OS, IE running a Windows VM in a Linux VM in a Windows (or Mac) machine. You can even use different VM software (VMWare and VirtualBox as examples) for the extra layers for even more Tinfoil Protection (TM) – AstroDan Mar 17 '16 at 15:53
  • 3
    Use a Raspberry PI or other such device rather then a laptop. You can re image the SD card after every run, the hardware is cheap (35 US dollars) and easily available. Plus you can run the SD card through a shredder, which is actually a lot of fun. – AstroDan Mar 17 '16 at 18:28
  • About the WM. I did once ask a question and some of the answers goes to the depth with this: http://security.stackexchange.com/questions/59059/how-can-i-separate-two-oss-files-with-encryption-without-using-truecrypt – Simply G. Mar 17 '16 at 18:29
  • @AstroDan: I thought about a Raspberry PI too, thinking that you could somehow disable the SD card via the lock, so the RP is read-only. I dont know if you would get problems with the RP, but this would be a nice idea. – hamena314 Mar 17 '16 at 20:24
  • @AstroDan Or if you are really paranoid, nuke the Pi from orbit afterwards ;-) – Michael Mar 18 '16 at 01:02
  • @hamena314 Memory cards are cheap and shredders are fun. This makes it very easy. – AstroDan Mar 18 '16 at 02:01
  • @Michael I have tried to get nukes for this purpose but the government is oddly protective of them. – AstroDan Mar 18 '16 at 02:01
  • @AstroDan: I like your enthusiasm about shredding cards! But wouldn't a read-only device be sufficient enough? – hamena314 Mar 18 '16 at 08:28
  • @hamena314 Comments are not for extended discussion. If you want continue this should be moved to chat. That said there is often value in seeing what the website does to the card (through an image diff) which you can not do with read only materials. – AstroDan Mar 18 '16 at 12:52
2

One thing the other replies are not including is the fact that these URLs are often generated randomly and can track active emails. For example, a spammer might send out an email:

Buy these new magic pills: http://example.com/mOUEVpWY8s

However, every email would contain a different mOUEVpWY8s ending. When you click on the link, it tells the spammer that not only is your email still active and in use, but the person receiving the emails is willing to click on links.

Jon
  • 386
  • 1
  • 3
  • 14
1

Since the link to antihacksecurity.com seems down, I add a site that can show you the source code behind the email link.

Some notes:

  • No javascript code can be run.
  • Friendly tool for a static analysis code.
  • Headers (standard and custom) can be added (User-Agent, Referer etc)
  1. Goto http://hurl.eu
  2. Type your email link in the URL: field
  3. (Optional) Click +add header link for adding headers
  4. Click the Send button

You can find other external sites similar to the above one here: Online HTTP Client.

Community
  • 1
Stephan
  • 375
  • 1
  • 9
0

Here's what I generally do:

  • Set up a local proxy like Burp suite
  • Change the browser networking settings to redirect traffic to local proxy
  • Turn the intercept on in the local proxy (practically pauses traffic)
  • Click on the suspicious link
  • Inspect each request and response using the local proxy
Shawn M.
  • 31
  • 5