InfoSec: Check if an email message or a website is malicious

Spam (unsolicited bulk messages) and phishing (obtaining privileged information by masquerading as a trustworthy entity) have become a part of everyday life for anyone who uses email for personal or business communication. Cyber-criminals behind spam and phishing messages have been perfecting their craft for decades and, as a result, it is often difficult to distinguish spam from legitimate emails. Some observational techniques could be helpful and a number of services exist to assist with verifying reputation of various websites and phone numbers, which can be used to gauge the validity of a received email.

While the sender address is a good first indication of whether an email message is legitimate or not (for example, an email that claims to be from AMEX, but was sent from “bob@comcast.net” is almost certainly malicious), but it is worth noting that sender address is very easy to fake (aka “spoofing”). Just like the return address on “snail mail”, the sender information is provided by the sender himself and, in majority of cases, not verified by the email server. Do not rely on the sender address alone for validating the identity and validity of the sender.

The goals of a spam or phishing messages will usually boil down to one of the following:

1. Getting you to click a link in the message
2. Getting you to open the attachment in the message
3. Getting you to call a number and provide information
4. Getting you to reply to the message with requested information

Generally, if you have any doubts about the origin of the message, it is best not to do either of the above. However, if you do think that the request may be legitimate (again, keep in mind that spammers are getting very good and making you think that, that is their 'bread and butter'), here are some tips on how to attempt to verify each of the above before you proceed.



How to check if something is malicious

Links/Websites: following free services will let you copy-paste the link from a suspect email message and check the validity/potential risk rating of that link:

https://www.mywot.com/ - this is a “peer review” site, where site’s ratings are contributed by other site users; so if Bob and Alice say that a site is bad and Jim later goes to check the site’s rating – he will see the previous negative feedback. Anybody can review the site and the service offers a free browser plugin to automatically alert against visiting sites with numerous negative reviews.

http://www.siteadvisor.com/sites/ - this is a service that is very similar to the one above in functionality but is now offered by McAfee. All site reviews are provided by McAfee staff (however, individuals can submit their recommendations on suspect websites). This service also offers a browser plugin for automated website and search validation.

https://www.virustotal.com/#url – free service now owned by Google, which will check the site’s reputation against 51 different reputation services, similar to the ones listed above. It will not show any details on the reputation, but will provide a summary judgment as to whether it could be trusted or not. There is also a section for users to leave comments on each of the URLs but it doesn't seem to be as popular as the MyWOT one. Same service offers antivirus scanning for attachments, but more on that later.

Files/Attachments: following services will let you upload a file to be scanned by an antivirus, other than the one that is already (hopefully) present on your computer. You can save a copy of the file to a folder on your computer and upload it to be scanned from there; do not double-click/open the file and always use your local antivirus to scan the file first. Please note that personal/sensitive data should not be uploaded to third party services, as there is no telling what might happen to that file after it has been scanned.

https://www.virustotal.com – service owned by Google which will let you upload the suspicious file or email attachment, to be scanned by 46 different antivirus programs. Antivirus programs are only as good as their signature definitions and often one or two of them will be able to detect a certain virus variant before everyone else creates a signature for it. This lets you make sure that none of the antivirus vendors think the file you’ve received is malicious.

https://www.metascan-online.com – another service similar to the one above, which will scan an uploaded file with 42 different antivirus programs. All the same limitations apply, but the permitted file size is slightly higher.

Please note that just because an antivirus does not detect a virus in the file, it doesn’t mean that it isn’t there. Antiviruses can generally only detect malware that they are aware of, and a new variant, or a variant encrypted in a password-protected ZIP archive, for example, will not be detected. Be extra vigilant if files are sent to you in password-protected archives, this is a common technique used to bypass antivirus detection.

Phone Numbers: confirming phone numbers can be tricky because a large number of websites offering phone number reputation services are “commercialized” and require you to pay for the information. So far only the following website, using information provided by other users, has been free and consistently accurate with identifying suspicious phone numbers:

http://800notes.com/ - website similar in functionality to MyWOT, where users are able to contribute their experiences with a certain phone number to an overall number review page. Keep in mind, that while this can be used to validate phone numbers included in an email, one should not rely on it for phone numbers on received calls. Similar to the sender address on email messages, caller phone numbers can be easily spoofed to masquerade as any other number and this is a technique often used for social engineering attacks.





In conclusion, you should always avoid clicking links or opening attachments in emails that you did not expect to receive, even if they appear to be sent by someone you know. Even the most legitimate-looking messages may be phishing for your sensitive information, to be used for identity theft or further attacks against you or your organization. If you do believe that a message is legitimate, or you have any doubts about it - double-check using one of the above reputation services before acting on anything requested in said email. Good luck out there!