Blog
Informative, up-to-date and exciting - the Oneconsult Cybersecurity Blog.

DFIR, Simple: Behind the Link – a Look Into the Dark

Unwanted emails, SMS and other digital messages, also known as “spam”, are tiresome and unpleasant but also part of our everyday digital life. Nowadays, we all regularly receive unwanted messages (spam) that are not just advertising, but deliberately try to trick us into an action that can have far-reaching consequences.

In many cases, the message asks us to go to an Internet address.

Example of possible spam SMS with an Internet address
Figure 1: Example of possible spam SMS with an Internet address

As with the SMS shown above, it is not always clear to the recipient whether it is a legitimate message or something worse. Especially if you are not sure, you should definitely avoid visiting the website with your everyday devices: The website could be used for an attack attempt, for example, against your browser or to trick you into opening a file by downloading it automatically. However, one look at the linked website would probably tell you right away how likely it is to be a wanted or unwanted message.

So how can you find out in the easiest and safest way possible whether it is spam or not?

In such situations, urlscan.io is a very useful and free resource on the Internet, which we also like to use in our short analyses. The tool offers a wide range of features that we will come back to in upcoming DFIR, Simple blog articles. Today, we’re focusing on taking a first look at the website in the message you received to assess its legitimacy.

The procedure is quite simple: You visit urlscan.io, enter the Internet address contained in the message, called the URL, in the “URL to scan” field (1), and click the “Public Scan” button (2).

Public Scan in urlscan.io
Figure 2: Public Scan in urlscan.io

Attention: This is a public “scan”! This means that the whole world can see that the Internet address you entered in urlscan.io has been checked and visited. You should therefore refrain from entering sensitive Internet addresses, e.g. those with your email address or names in the address. It is also best to avoid entering “cryptic” looking or long addresses, such as https://example.org/?q=c2Vocmd1dHNpZXdpc3Nlbndhc2Jhc2U2NGlzdCE%3D&, for the time being, as these may contain sensitive information about you in coded form.

We will come back to this in a future DFIR, Simple blog post.

Result of public scan in urlscan.io.
Figure 3: Result of public scan in urlscan.io.

Once the scan is complete, you get a lot of valuable information.

urlscan.io immediately alerts us that this case is likely a malicious website. Both “urlscan.io Verdict” and “Google Safe Browsing” classify the website as “Potentially Malicious” and “Malicious” respectively (orange box on the bottom left of the screenshot above). This is a very valuable hint that should be taken seriously and complements our assessment. Especially for recently published websites, however, we cannot rely solely on these two assessments – more on this in a future DFIR, Simple article.

For this reason, as with our investigations, we first take a look at the image of the website (“screenshot”). This image helps to quickly classify the link and thus the spam message. In this case, it seems to be at least phishing, i.e. an attempt to steal user data from the recipient: A registration form for Amazon can be seen, which is provided under an Internet address foreign to this company (elements highlighted in red in the screenshot above). The message should therefore be ignored and, at best, deleted immediately. As long as the recipient has not visited the website and interacted with it, this is sufficient.

DFIR, Simple

Regardless of whether you’re an IT employee who defends IT systems against cyberattacks and their users on a daily basis, or you’re simply curious about how digital forensics works and information security incidents are handled: You’ve come to the right place! Titled “DFIR, Simple,” our experts from the Oneconsult International Computer Security Incident Response Team (OCINT-CSIRT) publish articles that will help educate you as a volunteer IT security firefighter in your organization. Each blog article introduces you to a tool, process, or lessons learned from other companies’ information security incidents. With a basic understanding of IT and a good pinch of curiosity, you’re in the right place. By the way, “DFIR” stands for “Digital Forensics & Incident Response,” and our posts focus on pragmatic approaches that can be applied in everyday life and are cost-effective – in keeping with the spirit of the blog series: DFIR, Simple.

DFIR, simple – series

Published on: 06.11.2020

Share

Never miss the latest news on cyber security topics again? Sign up for our newsletter

Autor

After graduating with a master’s degree in computer science (MSc ETH CS) im 2017, Gregor Wegberg joined Oneconsult. Since 2020 he has been Head of Digital Forensics & Incident Response.

LinkedIn

Don’t miss anything! Subscribe to our free newsletter.

Your security is our top priority – our specialists provide you with professional support.

Availability Monday to Friday 8:00 a.m. – 6:00 p.m (exception: customers with SLA – please call the 24/7 IRR emergency number).

Private individuals please contact your trusted IT service provider or the local police station.

For more information about our DFIR services here:

QR_CSIRT_2022_EN@2x
Add CSIRT to contacts