Although I have been working in the field of cybersecurity for a long time, the malicious reach of cybercrime never ceases to amaze me. The simple act of clicking on a malicious URL, opening an attachment, or engaging with an ad can lead to serious consequences. By clicking on a malicious URL, you may find yourself the target of a phishing attack, have malware auto-install onto your device, or have something more sinister occur.
But what is a malicious URL? How do cybercriminals use these dangerous links to their advantage? And what can you do as a website user or site owner to fight back?
What Is a Malicious URL?
In simple words, a malicious URL is a clickable link that directs users to a malicious or otherwise fraudulent web page or website. As the name suggests, nothing good can ever come out of a malicious URL. That’s because the goal of creating these bad site pages is typically for a nefarious purpose — such as to carry out a political agenda, steal personal or company data, or make a quick buck. For example, cybercriminals may create malicious URLs to:
- Carry out phishing attacks to gain access to users’ personal information to carry out identity theft or other types of fraud.
- Gain access to users’ login credentials to gain access to their personal or professional accounts.
- Trick users into downloading malicious software that cybercriminals can use to spy on victims or take over their devices.
- Get into victims’ computers to encrypt their files for a ransomware attack.
- Remotely control a victim’s computer by using a remote access trojan (RAT). And if an attacker can distribute RATs to other vulnerable devices on the network, they can use it to create a botnet that they can control.
Now, it’s important to note that malicious links can be created on fake and legitimate websites. Cybercriminals can create entirely fake and malicious websites, or they may opt to create malicious URLs for legitimate domains. Malicious URLs are delivered via many methods, including emails, websites, and advertisements.
A Quick Look at 3 Malicious URL Examples
Malicious URLs come in many forms — some more obvious than others. Take a look at the following malicious URL examples. In the first, a scammer tries to get the email recipient to believe that there’s some issue with their account to get them to click on a potentially malicious URL.
A safe way to know whether the link is malicious is to check which URL the link takes you to. If you hover your mouse over the link, you will be able to see the URL. If the URL shows a different domain than the one it claims to lead to (in this case, it should lead to att.com but doesn’t), then you’ll know that it’s a phishing or malicious URL.
Here’s another example of an email that contains a malicious URL. Something that should immediately stand out is their apparent confusion as to their identity. For example, the sender’s display name is “Email Notification’ (‘cause that’s not at all suspicious…), their email address comes from a domain pebblekickvault.com, the URLs are to a completely separate domain (abb-nks.com), and the email is signed “Netease Admin.” Either someone is extremely confused, or they’re lying about who they are. We’re going with the latter explanation.
Malicious emails are sent by companies impersonating to be from well-known companies. The following screenshot is of an email claiming to be from Netflix. However, the link takes you to a completely different website (sendgrid.net), and the email also comes from another unknown domain (confirm.com).
How to Avoid Malicious URLs: A How-To for Individual Users and Businesses
You know that clicking on malicious URLs will spell disaster for you or your organization. So, what should you protect yourself from a malicious attack? How can you make out the difference between a malicious URL and a real one? And what can companies do to prevent criminals from using their names to send malicious content?
Let’s have a look at how to avoid being affected by malicious URLs both as a private individual and as a business.
How to Avoid Malicious URLs as an Individual User
As a recipient of an email that contains a suspicious (and potentially malicious) URL, you should first check the authenticity of the email and the website itself. You can do so by verifying in the following manner:
Check the Sender’s Email Address
Actually, most fraudulent emails have spoofed email addresses. The email might claim to be from a well-known company, but the sender’s email address might give away their maligned intentions.
The Email Address Doesn’t Match the Sender’s Display Name
The sender’s email address can be completely different from the company the email claims to have originated from. This is a glaring red flag of a potentially dangerous email, and you should refrain from taking any actions that the sender asks or demands. This includes clicking on links or calling any phone numbers mentioned in the email.
An example of such an email is given below:
Emails Use Domains That Are Similar to Legitimate Organizations
By making use of a method called “typosquatting,” criminals can con you into thinking that an email is sent from a legitimate company. What they do is create email addresses that look visually similar to those that come from legitimate organizations. They might change a letter or two to make their domain look like the real deal. This way, if you’re in a hurry or aren’t paying attention when looking at the sender’s email domain, you’ll think that the email came from a legitimate and trusted sender.
For example, if your contact email address is [email protected], someone might send phishing messages using the email address [email protected] (note the extra “a”). Another example is if you have a Netflix user account and receive an email from [email protected] (note that the “l” is missing); you might mistakenly think it came from the genuine domain Netflix.com.
They also use a method known as domain spoofing. This is when cybercriminals create fake websites using spoofed domains to trick people into thinking the website is legitimate. In November 2020, the FBI’s Internet Crime Complaint Center (IC3) published a list of spoofed FBI-related internet domains that cybercriminals can use in their scams:
Emails Are Sent From Genuine Domain Names
Some actors might even take the pains to go a step further to take over one of your employees’ legitimate company email addresses. This will increase the success rate of their scam because the message will come from a legitimate account.
Check the Subject of the Email Online
If you’re not sure whether the email contains a malicious link or a genuine one, check the subject line on any search engine. There are high chances that the same malicious emails are sent to thousands of other people and somebody has posted examples of them online to help others. This method can help you figure out whether an email is fraudulent within seconds.
Look for Inconsistencies in Email or Website Content
If you read a fraudulent email, you’ll likely observe inconsistencies that inform you that the email (and any links contained within it) is fake and potentially malicious. For example:
- Sender’s email address and the “reply to” email address are different.
- Sender’s display name and/or email address don’t match the name the sender uses in the email body.
- Email intent is inconsistent with the subject line.
- Embedded links or buttons say they’ll take you to a company’s official website but actually lead to another unknown site.
- You receive the email on your email address that is not registered as your contact address.
All these little inconsistencies will let you know that the email is fraudulent, and you should not click on the potentially malicious URLs contained within it.
There are some things you can also look out for when visiting websites:
- Incomplete or missing website content.
- Images and graphics are all stock images or look like they came with the template.
- The company logo on the website might be of a different shade than the company’s official logo.
- Links don’t work or lead to a different unknown domain.
- The website contains grammar and spelling errors.
These inaccuracies will reveal that the intent of the creator of the website is not genuine.
Double-Check URLs Before Clicking on Them or Hitting “Enter” in Your Web Address Bar
This safety rule applies to both checking links in emails and the links you manually type into your web address browser. Let’s start first by discussing links in emails. Cybercriminals love to hide malicious URLs in phishing and malicious emails. So, if you hover over the link first with your mouse, you can see where the button or embedded link will really take you.
You can also copy-and-paste the URL into your web address bar (without hitting “enter” or doing anything to load the site) to see how it displays. For example, some cybercriminals use special characters from non-English languages (Punycode) to make malicious URLs visually look like legitimate websites. (Cybersecurity research Xudong Zheng published about this type of attack, known as a homograph attack, on his blog back in 2017.)
When manually typing a web address into your browser, double-check to make sure that you haven’t accidentally misspelled it. If you mistype something and hit “enter” to go to the site, you might find yourself on a typosquatting website instead of the real deal.
Don’t Click on Random Pop-Ups or Ads
While surfing on the web, you might stumble across pop-ups or embedded ads that will tell you that your account has been hacked, or they have found a virus on your system or some other excuse to make you click on the link they have shown in the pop-up. These pop-ups are classic malicious advertising examples. They make you feel that you’re in danger and must take immediate steps to keep yourself secure.
Don’t make the mistake of clicking on any one of them. Cybercriminals use these types of malicious advertisements or “malvertising” scams to con unsuspecting people. Their goal is to get you to click on fake ads that will take you to their malicious URLs. These ads are colorful, attractive, and offer an enticing deal on something you’ve wanted to buy.
The following screenshot is an example of a malicious ad that contains a malicious link:
Look for Website Security Certificates
Legitimate websites typically use SSL/TLS certificates. What these certificates do is add organizational identity and encryption to websites. Organizational identity assures you that a website is legitimate because the organization that owns it has been vetted by a trusted third party known as a certificate authority (CA). If the website has a padlock in the web address bar and an HTTPS at the start of the URL, it means that the website uses a secure, encrypted connection to protect data in transit.
This combination of an organization’s verified identity and the use of encryption makes a website safer and more secure. The following screenshot shows the padlock and HTTPS on the address bar:
The business validated SSL/TLS certificate gives assurance to the visitor of the website that:
- The domain name is owned by a legitimate company or organization.
- All communications between the website’s server and your browser are encrypted.
- No unintended third parties can steal, read or alter your data while it’s in transit.
Don’t Download Pirated Content
Websites promising you to give you access to pirated movies, books, games, software or other content for free if you click on the link are most definitely fishy (or phishy!). While the act of piracy itself is damaging to the industries whose content or programs are stolen, visiting websites that host pirated content is also extremely dangerous. These links are often malicious URLs that will harm you in one way or another.
For example, clicking on these malicious URLs can lead to:
- Accidentally downloading malicious software onto your device. Malware can be disguised as legitimate programs or files. Once you download and install the pirated content, the malware infects your device and the network it connects to.
- Becoming the victim of a ransomware attack. Ransomware is malicious software that will encrypt your files and demand payment to decrypt them.
- Your device becoming part of a larger botnet. Cybercriminals use infected devices (known as zombies) to create botnets that they can control, use, or “rent” to other cybercriminals.
Avoid Websites That Host Offensive Content
Cybercriminals often target websites containing adult content and other obscene materials as a way to spread malware. Although most pornographic websites aren’t created to spread malware, cybercriminals can target their users by hacking their sites or third-party advertising platforms that deliver ads.
If you download or click on such questionable links, you may wind up with malware on your device or find yourself the future victim of some sort of cybercrime. The same applies to URLs embedded in websites linked to terrorism, extremism, fascism, racism, or other extremely biased opinions.
How to Avoid Malicious URLs as a Business
A malicious URL harms the reputation of your business along with its trustworthiness. Although you can’t be 100% sure that threat actors are not using your organization’s name to commit internet fraud, there are steps you can take to ensure that your domain name isn’t used to send phishing or malicious URLs. You can also take steps to prevent your employees from engaging with malicious URLs as well.
- Train your employees to increase their awareness about cybercrimes and phishing. Providing effective cyber awareness training to your employees goes a long way to improve the security of your company. In addition to teaching them to recognize common types of cyber threats, you should also inform them about how to report suspicious emails and websites to your IT team. This way, IT can take steps to block and add malicious URLs to website blacklists. They can also block messages from questionable email accounts.
- Educate your employees to use email antivirus tools to scan emails & attachments. This is huge. Your IT team can’t be everywhere at once and can’t check every email attachment or link for your employees. They must understand how to use these tools on their own.
- Implement email filters (SPF, DKIM, and DMARC). These email security protocols use DNS records in different ways and, together, help you to prevent users from sending emails containing malicious URLs or other dangerous content on behalf of your domain. They also help you specify which IP addresses can send emails for your domain, and what email recipients’ clients should do if they receive emails that don’t meet specific parameters. These three acronyms, which the National Institute of Standards and Technology (NIST) highlights in their special publication on Trustworthy Email (SP 800-177), stand for the following:
- SPF = Sender policy framework,
- DKIM = Domain keys identified mail, and
- DMARC = Domain-based message authentication, reporting, and conformance.
- Report malicious URLs that are similar to yours to blacklists. This is a proactive step that helps you prevent inauthentic and dangerous websites from affecting your business and your prospective customers.
Final Thoughts on Malicious URLs and How to Stay Safe
Cybercriminals are always trying to come up with new ways to trick you and other targets into becoming victims. They use malicious URLs to their advantage to do this by including these links in emails, using them in fake ads, and deploying them through many other methods.
Remember, at this very moment, a criminal is thinking about new ways to harm you, new ways to tempt you to click on malicious links, or new ways to gain access to your IT systems and data. This is why cyber security can’t be achieved by one-time efforts or by passive involvement. It’s a continuous and evolving process that requires you to be vigilant and observant 24/7.