Categories
Computer & Network Security

How To Check A Sketchy Link Without Clicking It

Let’s say you’re working through your dozens of emails, responding to clients or customers or business partners and you come across this one email from your bank informing you that you need to reset your password. This email comes completely out of the blue and to top it off you don’t recognize the senders email address. Do you click it?

Maybe…maybe not.

Did you know that you can investigate if that link is sketchy or not without clicking on it?

When it comes to hyperlinks, sometime’s it’s really obvious it’s sketchy, but other times, in the case of look-a-like domains, it can actually be a bit tricky.

Here are a few things that make a link sketchy, when visibly looking at it.

  • Links that end in uncommon top level domains (TLD). Because the cost to purchase domains within these TLDs are pretty inexpensive, they are very frequently used for spamming and malicious activity. Aside from abc.xyz which is a web site owned by Google’s parent Alphabet I don’t know of any legit domains with these TLDs.

    • Commonly used for spamming/nefarious activity:
      • .xyz
      • .buzz
      • .live
      • .fit
      • .tk
  • Links that are knock-offs (known as look-a-like domains) of major brands. These are popular because the domain closely resembles that of real brands domains. Depending on how the URL looks in your browser and if you’re on a mobile device or on your computer, you may or may not be able to spot these very easily.

    • Examples:
      • netflix-mail[.]com
      • t-mogbile[.]com
      • googlre[.]com
      • secure-paypal.com.fraud.hmmmm[.]com

      Note, these domains may or may not be valid at the time of you reading this

  • Links that contain random numbers and/or letters. These are pretty obvious. Not all are malicious, however, anytime I see a url like this I immediatly get suspicious. It’s not a trustworthy link in my opinion and should be investigated further.

    • Examples:
      • eqbqcguiwcymao[.]info

There is definitely no shortage of URL and website scanners out there. I’ve tried dozens of them. None of them seem as good to me as URLscan. It’s fast, extremely detailed, provides a live screenshot and it allows you to link out to other scans to check them as well.

URLScan – https://urlscan.io

My go-to move with any sketchy links is to pop them into URLScan and see what comes up. To do that, just head on over to https://urlscan.io. Then just simply copy and paste the link you want to scan into the scan field. Once there you can also click Options and make your scan Private, which sometimes is nice to do, since Public scans will show up on the front page and in searches.

Now that you have your link pasted in, click Scan! Once URLScan is finished checking your link, doing it’s analysis and fingerprinting, it will bring you to a results page that looks something like this.

Note, this is an example results page of a known malicious site.

1. Live Screenshot. This allows you to visibly see if there might be anything weird going on with the site. This is good for sniffing out things like misspelled words on login pages.

2. Google Safe Browsing rating. This is a nice quick view of if the website is safe or potentially nefarious.

3. Lookup the URL with other scanners. The lookup tab allows you to pick any of a number of other website scanners. This can help you glean additional information about the site you’re scanning in case you’re still not sure about it. 


Browserling –
 https://www.browserling.com

Another great, free tool for investigating potentially malicious URLs and websites is browserling.com. This website allows you to enter in any URL and it will safely navigate to that website. You can then interact with that suspicious website just like you would in any other browser, but doing it this way is 100% safe. That’s because the browser is in a sandboxed environment and there’s no way for that malicious website to hurt your machine. With the free version you are limited to about 2 minutes, but that’s more than enough to do a quick peak at the website.

Caution when Clicking

It’s a bit cliche by now but, think before you click! It only takes a few minutes to pause, copy and paste the link into URLScan and check it out first before clicking.

If you’re at work and have an IT Department or Security Team, send it over to them and ask them to investigate it for you. It’s better to wait 10 minutes to get a link checked out than spend 10 weeks recovering from a security incident.

Additional Information

I did some googling on this topic and found some good articles related to suspcious and or malicious domains. The articles below go into much more detail on TLDs and their use for malicious or spammy activity. If you’re into the technical nitty gritty these would be great reads.

Categories
Cybersecurity Advisories

Storm-0324: New Phishing Campaign Targets Corporations via Teams Messages

Microsoft is warning of a new phishing campaign that involves using Teams messages as lures to infiltrate corporate networks. The threat group behind this campaign, tracked as Storm-0324 (aka TA543 and Sagrid), is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors, which frequently lead to ransomware deployment. They are known to have deployed Sage and GandCrab ransomware in the past. Additionally, Storm-0324 has also provided the well-known FIN7 (aka Sangria Tempest) cybercrime gang access to corporate networks after compromising them using JSSLoader, Gozi, and Nymaim.

Storm-0324’s methods have changed over the years. As of July 2023, the phishing lures are sent over Teams with malicious links leading to a malicious ZIP file hosted on SharePoint. To accomplish this activity, the group leverages an open-source tool called TeamsPhisher, which is a Python-language program that enables Teams tenant users to attach files to messages sent to external tenants, which can be abused by attackers to deliver phishing attachments. The phishing lures used by threat actors are identified by the Teams platform as “EXTERNAL” users if external access is enabled in the organization. This issue was also previously exploited by APT29 in attacks against dozens of organizations, including government agencies worldwide. Details regarding the end goal of Storm-0324’s attacks have not been provided at this time, however, APT29’s attacks are aimed to steal the targets’ credentials after tricking them into approving MFA prompts.

Microsoft says they are taking these phishing campaigns seriously and have rolled out several improvements to better defend against these threats. They have suspended identified accounts and tenants associated with inauthentic or fraudulent behavior. Microsoft has rolled out enhancements to the Accept/Block experience in one-on-one chats within Teams, to emphasize the externality of a user and their email address so Teams users can better exercise caution by not interacting with unknown or malicious senders. In addition to this, they’ve implemented new restrictions on the creation of domains within tenants and improved notifications to tenant admins when new domains are created within their tenant.

SecurIT360 SOC Managed Services 

If you utilize our SOC Managed Services for MDR and/or EDR, we are actively monitoring the release of IoCs related to this threat actor. Along with standard vendor threat feed and signature updates, we will proactively upload these to our SOC tools if applicable.

As always, if we detect activity related to this campaign, we will alert you if warranted.

Please feel free to contact the SOC via email (soc@securit360.com) or telephone (844-474-1244) if you have any questions or concerns. 

Ongoing Storm-0324 and Sangria Tempest JSSLoader email-based infection chain

Recommendations

As per Microsoft, to harden networks against Storm-0324 attacks, defenders are advised to implement the following:

  • Pilot and start deploying phishing-resistant authentication methods for users.
  • Implement Conditional Access authentication strength to require phishing-resistant authentication for employees and external users for critical apps.
  • Specify trusted Microsoft 365 organizations to define which external domains are allowed or blocked to chat and meet.
  • Keep Microsoft 365 auditing enabled so that audit records could be investigated if required.
  • Understand and select the best access settings for external collaboration for your organization.
  • Allow only known devices that adhere to Microsoft’s recommended security baselines.
  • Educate users about social engineering and credential phishing attacks, including refraining from entering MFA codes sent via any form of unsolicited messages.
    • Educate Microsoft Teams users to verify ‘External’ tagging on communication attempts from external entities, be cautious about what they share, and never share their account information or authorize sign-in requests over chat.
  • Educate users to review sign-in activity and mark suspicious sign-in attempts as “This wasn’t me”.
  • Implement Conditional Access App Control in Microsoft Defender for Cloud Apps for users connecting from unmanaged devices.
  • Configure Microsoft Defender for Office 365 to recheck links on click. Safe Links provides URL scanning and rewriting of inbound email messages in mail flow, and time-of-click verification of URLs and links in email messages, other Microsoft Office applications such as Teams, and other locations such as SharePoint Online. Safe Links scanning occurs in addition to the regular anti-spam and anti-malware protection in inbound email messages in Microsoft Exchange Online Protection (EOP). Safe Links scanning can help protect your organization from malicious links that are used in phishing and other attacks.
  • Enable Zero-hour auto purge (ZAP) in Microsoft Office 365 to quarantine sent mail in response to newly acquired threat intelligence and retroactively neutralize malicious phishing, spam, or malware messages that have already been delivered to mailboxes.
  • Practice the principle of least privilege and maintain credential hygiene. Avoid the use of domain-wide, administrator-level service accounts. Restricting local administrative privileges can help limit installation of RATs and other unwanted applications.
  • Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
  • For additional recommendations on hardening your organization against ransomware attacks, refer to threat overview on human-operated ransomware.

Microsoft customers can turn on attack surface reduction rules to prevent common attack techniques:

Resources & Related Articles