How to Find Out More about Suspicious URLs

I’m sure this experience has happened to many of us. You see an email comes in from a friend, but something just doesn’t look right based on the preview. Parts look normal, but some stuff was suspect. This happened to me this weekend and I decided to research it more.

Suspicious email in Gmail.
Is this real or fake?

If the above email hadn’t come from a friend, I probably would’ve deleted it. However, I was concerned that maybe an address book or email account had been compromised. Given the number of security breaches, this wasn’t out of the question.

There are a number of ways to investigate emails and suspicious URLs, but here’s my process based on what I could see without opening the email. As a policy, I don’t open these types of emails. I’ll either do the research or send an email back to my friend asking them if they sent it.

Who Sent the Email?

At this point, I just see my friend’s name, but not his full email address. Many email applications, like Gmail, show the full address when you hover over it. Another clue is my friend Vassi doesn’t have his picture show as normal. Instead, this email used the generic blue icon.

emsil hover infoPin
Strange domain and no profile image

In this case, I can see the sender’s domain (which was originally a design studio that I changed) is not related to my friend, which is reassuring. At this point, my heart goes out to this design studio as their domain has been used. I also get people fraudulently using my domain in emails. It’s difficult to explain to people I didn’t send it. Anybody can spoof that part.

What’s With This Short URL

In the email preview, I can see a short or tiny URL is used. I like URL shorteners, but people can also link them to nasty stuff. If you’re not familiar with URL shorteners, they are services that can take a very long URL and provide a much shorter one along with analytics. There are a number of companies that provide this service ranging from Bit.ly to Google.

info Google shut down their URL service to new users on April 13th, 2018.

For example, if I wanted to create a short URL for my Excel tutorials section, I would simply enter in the regular web address into the service. In this case, I’m using Goo.gl.

Creating a short URL with Goo.gl.
Create a short URL with goo.gl

After I click the SHORTEN URL button, I get the new web address. Even though this process is easy, you can see it did take a little bit of time. This raises the question of why would my friend use this service instead of copying and pasting the full URL. One reason might be they copied it from another email, but many people just forward that email.

goo.gl short linkPin
Short URL link and preview

Check Short URL Address

However, if you pop in a short URL in various security scanners, you might get an error like this one. You also don’t see where the URL would go.

short link security warningPin
Scanners May Not Handle Short Links Well

This can happen for a number of reasons such as the expanded URL has unrecognizable characters, punycodes, or parameters. And some services just don’t like short URLs.

The better solution is to find the full expanded URL. The good news is there are several services that can find the expanded link and test. One well regarded one is VirusTotal.

VirusTotal scan summary.Pin
VirusTotal scan showing issue

At this point, I’m pretty sure this is a page I don’t want to visit. If I click the Details tab, I can see the full domain and a reference to bannerfarm.php. This makes me think it’s some sort of system to inject ads or worse.

Although this suspicious email used a short URL, you can use VirusTotal to check and expand short URLs. I also like to use more than one service to check a short URL. The reason is sometimes you get a false positive. The other service I use is Securi’s site checker.