Skip to main content
TheITFirefly’s Tech Blog

Suspicious Links

·783 words·4 mins
TheITFirefly
Author
TheITFirefly
I promise I’m not a robot. I’m working on transitioning this to the blowfish theme for hugo
Table of Contents

Background
#

A while ago, I had a friend get the scam text below, which was sent in a group chat with all of our friends.

Suspicious Phishing Text

Doing some quick research, I deduced exactly why it was a scam thanks to a suspicious link in the text, and informed my friend as such. What followed was a great discussion about looking for suspicious links in texts, and I thought that sharing my own institutional knowledge might be of benefit. Give it a couple of months to sit, and I finally had time to write up the post you’re reading now. Today I’m going to show you a couple of tools I use, and some warning signs that a link is suspicious.

The Tools
#

First off is https://wheregoes.com, a URL redirect checker. I use it to find out what web page a link would actually take me to without visiting it myself. I do this myself because I don’t want to just visit a link, since there could be malware on the page. Using this sort of tool, I can get where a link redirects to, ensuring I’m feeding the most accurate domain into my 2nd tool here without directly subjecting myself to that risk.

Secondly, once I’ve gotten the link from wheregoes, I’ll throw it into https://www.whois.com/whois/. This site allows you to lookup information about when a website was registered, and who registered it, which can be used to determine the likelihood that a link is suspicious using the warning signs listed later in the article.

Warning Signs
#

⚠️For security reasons, please don’t copy and paste any of the links in the examples here. I don’t control their infrastructure, and can’t guarantee that they will be safe. For this reason I have intentionally made the links unclickable in this section⚠️

Here are some of the techniques I have seen that malicious actors will use to make their links seem more legitimate:

  • Hyphens: Something that many people don’t know is that domain names allow for the usage of hyphens. Malicious actors understand this, and use it to trick people into thinking illegitimate domains are the real deal. Our example in the picture up above shows this exactly. It looks like a legitimate utah.gov domain, but that -zouy on the end means it’s something entirely different.
    • Pro Tip: Remember that the domain doesn’t end until you get to the first / (forward slash) in the URL.
    • Pro Tip 2: Ask if a dash is supposed to be there. If it looks like a place where a period would normally go, for example between www and google.com, it makes the link look much more suspicious
  • Typosquatting: Typosquatting is the practice of spoofing a legitimate domain with a domain that looks very close. Take a look at say drive.google.com and drive.gopgle.com. Since the domains look similar, your brain can autofill some info, and the similarity can make malicious domains look legitimate on a quick glance.
    • Pro Tip: Before clicking a link, give it a slower look. The little bit of extra time and cognitive effort is worth it.

Reporting
#

Now that you’ve become a pro at spotting suspicious links, why not pay it forward and report the suspicious domain? Remember that tool for domain lookups? Whois lets you check details about a domain’s registrar (the organization that allows a domain to exist). Most registrars that I have seen will fill in an abuse email field or phone number. This will be a solid choice if you can’t find a form online to report the abuse, since different registrars handle the abuse process differently. Searching for “<registrar name> domain abuse” will often let you find the official channel for reporting abuse at a particular registrar. If you can’t find any info, you can always follow the ICANN complaint process. ICANN is the organization that sets the terms of use for top level domains, so their complaint process has some weight that’s likely to get something to happen. Just remember, ICANN should be your last resort.

I might include an email template for reporting abuse in a future revision, but I need to do some more research and report more illegitimate domains myself before I can give solid advice about what to say"

Conclusion
#

So to conclude, looking for the warning signs and remaining vigilant will help keep you safer as you encounter links in the wild. You can do hard things, and link verification is no different. This is TheITFirefly – signing off

PS - Feel free to come back from time to time, as I’m going to continue updating this article with more warning signs as I come across new techniques malicious actors use