Beware the Links! How to protect yourself from Malicious Web Links.
Let’s talk about link security. Link security is important. A simple web link, that is presented to a user, emailed to someone, or clicked on by a user, even presented by the major search engines, with filters on, can be the source of a lot of trouble. In this post our aim is to make you safer.
Exploits for this kind of attack range from adware infecting a computer, to an actual full blown scripting attack through any number of delivery agents including Flash, JAVA, C+, Visual Basic, .NET Frameworks, Invisible I-Frames, Redirects, PHP, SQL attacks and more. A malicious link that looks virtually the same to a user as legitimate link, or a user simply not caring what link they click on, is the number one distribution method of malware, ransomware, phisher scams, theft of credit/debit cards, information gathering, or just a hacker’s gateway.
For Example: A link is sent to an email that advertises a Groupon deal. It’s got all the right HTML in it to look just like a Groupon offer. Now the email may not be from Groupon. It might be a good indicator to not click that pretty html coded link, but you do, because you don’t see the link, just the click here coupon image with the link embedded. The link below is not malicious…but what it did do, was redirect you through this http://spottyfly.com/1SMGOF.html. That link came from Grabify…or for those of you that wish to see it… https://grabify.link/ . You may not see this link as it will be embedded in a picture file that looks like a Groupon advertisement (or it can even be in an invisible picture).
When you follow that link, nothing will happen to you, other than that you are redirected to Groupon. Any of you on this site, that decided to click that link or picture, will discover you end up at Groupon’s site advertising Spirit Halloween store deals. What you might not know is that it logged your IP Address for me, at least your external one. It also allows me to find out some useful stuff. What device you use...your Operating System, your browser, your internet provider’s location, your possible location. And with a little digging, a lot more.
Also, there is nothing that is illegal about that kind of data gathering technique. Here is some data I gathered by clicking my link myself:
That is the bare minimum thing that could be done with a malicious link, but the first step for a hacker, phisher, company, government or any old joe, to start surveilling you. The link could have been worse…a malformed flash video, that creates a condition of buffer overflow, and allows me to inject a package that then gives me root to a user’s device is one possibility, of thousands, that can be used to exploit either the browser, or one of its extensions or plugins, to give a hacker root to your device. That is bad.
It’s for that reason, that link security is such an important thing. Some may say, that my little information gathering mission amounts to not much. I mean after all, having an IP on someone, considering a majority of IP’s are dynamic, is not the same as having direct access to them. Consider this however; I can now look through my own websites log’s to see what users were on at that time…and knowing the time the link was clicked, and knowing what users were on my server clicking that link, let me now correlate to the registered users email…and verification of registration results like country. Or in the case of an email link, lets me know your email service provider, and possibly internet host. And knowing you will click my links in the future, I can now attempt to exploit you via email through a link to a webpage with malicious script. And I can construct a special link just for that user.
A special link, because I know something about the user. I know what device they like to use…what OS is on it, the user’s favorite browser and browser version number. Armed with this information and the fact that I know their probable country maybe their ISP…possibly if they like to use the same free Wi-Fi at a certain coffee shop every day at a certain time. Maybe an email malware loaded advertisement, or link from that coffee shop is stealthy too? But in any case, I can now go dig up the beginnings of my exploit hand tailored for the user, and the net is going to help me too.
For an example, not related to the above picture which contains all false data, I know by my data gathering that the user has an Apple iphone 7. On it is running Apple iOS 10.2 operating system, and Safari Browser V. 1.0.3. A little outdated. But this is theoretical after all. And so I go to my net sources…Rapid 7, https://www.rapid7.com/ , Exploit Database, https://www.exploit-db.com/, Offensive Security, https://www.offensive-security.com/community-projects/the-exploit-database/, GitHub, https://github.com/offensive-security/exploit-database, cxsecurity, https://cxsecurity.com/exploit/..and a number of others, and see if any exploit exists. I find this one in 2 minutes, https://www.exploit-db.com/exploits/42784/ . It is a very nice little hardware buffer overflow granting me root access to the user’s phone, via the Wi-Fi firmware. So regardless of whether the OS was updated or what…unless the firmware of the wifi card in the iPhone is updated…the user is vulnerable. I see it is a python attack, and what steps I need to take to create what amounts to a RAT (Remote Access Trojan). Once it is compiled all I need do is deliver it to the user.
I’m not going into mechanism of delivery. I have already outlined, that a link is a good mechanism to utilize as a means to hack individuals. But this article is not about exploiting users.
It is about the security protecting against being the exploited user. Avoiding links is the best answer. Use only links you know for certain to be good links…but that can be a bit unrealistic at times. So, if you’re going to click, do this: The first and best protection is probably to implement the systems outlined in Online Anonymity Workshop Lesson 1 - Whonix, and Online Anonymity Workshop Lesson 2 - Whonix, VPNGate, and AdvOR. This would prevent a phisher from knowing your true IP, your OS, your device, your email or your actual location. However, for the casual but cautious user one great way to protect yourself is to use Sandboxie.
It lets you run your preferred browser sandboxed, as well as run programs sandboxed, email sandboxed, or Windows Explorer. What sandboxed means is that it runs those things in a virtual box, that prevents code from leaving its confines. Therefor a browser or program, cannot interact with your OS, and cannot exploit the browser. This may not make you anonymous, but it prevents exploitation. I can still data gather about the user though. But it makes it unlikely I can use any sort of malicious code through the browser, or even a Trojan they might download, that could affect them.
A user might wish to add to their browser a few key protections in the form of plugins or extensions. Ublock Origin for Chrome or for Ublock for Firefox. Essentially an ad blocker, but it lets you put custom filters in easily. It can help to prevent redirects that you run into on certain sites as well. Also add in Blocksite for Chrome and Blocksite for Firefox. Another blocker with built in filters, and customizable filters, as well as parental controls.
Another Extension is ScriptBlock for Chrome and NoScript for Firefox. These are script blockers, that prevent the execution of script code in a user’s browser. They will most certainly block most forms of malicious scripted attack and quite a bit of advertising too.
However, the drawback is they block a lot of legitimate script too. The web today relies heavily on scripted programming to execute helper applications, formatting, functions within the browser and even security in some cases. Blocking scripts can render some legitimate sites useless to the user, or block legitimate features. So I use script blocking judiciously, and on sites that I know are loaded with content I either do not wish to see or care about, or when going to completely unknown sites.
Also, be aware that search engines are shamelessly gathering data about you all the time. Every time you use a major search engine you are being targeted based on your searches. Be aware, that just because a link shows up at the top of a major engine, does NOT mean that it is safe to click on. To prevent search engine tracking you can use an alternative to search that protects privacy. One such engine is DuckDuckGo, https://duckduckgo.com/. They also have an extension for Chrome, and for Firefox.
Finally, as extensions or plugins go, there is another excellent blocker known as Ghostery for Chrome or Ghostry for Firefox. It is much like the ad blockers, but has an added functionality of seeking out hidden trackers, that try and follow your surfing habits through the net, and reveal your social media profiles to target you with advertising.
You should be aware that both Chrome and Firefox have stealth modes as well that you can utilize. These modes help to stop tracking, and also do not save a history of your browsing. On Chrome it is known as incognito…on Firefox private browsing. For Chrome click to the 3 dots at the top right…the settings…and choose New Incognito Window (or do CTRL-Shift-N).
For Firefox Click the menu button, and then click New Private Window (or do CTRL-Shift-P).
For those who wish to try it however, it is simple to put a desktop shortcut that will use the browsers in those modes from start. To do this with Chrome:
1. Right click on the desktop
2. Go to New
3. Click on Shortcut
4. Then enter or copy and paste from here: C:\Users\User\AppData\Local\Google\Chrome\Application\chrome.exe –incognito
5. Name it incognito (or whatever you like) then click Finish.
For Firefox follow steps 1-3 then
4. "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" –private
5. Name it Firefox Private (or whatever) then click Finish
There are many other tools, techniques and such that can be used to help keep you from getting exploited via a malicious link. Tor Browser is another such tool. However, using Tor also sends up signal flares to your ISP, and to authorities sometimes, because of it highly controversial nature in use with the deep web. However, there is a tool for all your services, that is very good at protecting your privacy. That is Softether VPN. Using a Virtual Private Network (VPN) is a good way of preventing anyone from knowing your whereabouts, and a good way to prevent your ISP, authorities, or others from knowing about your surfing habits, and even in protecting your chat sessions and such. I like Softether for its simplicity, and the fact that it always spoofs my IP properly, unlike some VPN’s I have tried. It will not however protect you from a link with a redirect, Trojan or exploit loaded into it…just your privacy. I’m not going to get into installing this software in this article, but I may do so in another post.
For the most part, safety is in the user’s actions. Being aware is the best defense against malicious links. If you don’t know…don’t click. If you start getting ad’s in email from unrecognized sources, send them to the spam folder, or filter them from email. Don’t click links on social media unless you’re sure of the source. Don’t trust that any source is foolproof either…there are plenty of well-meaning users that have gotten hit with a virus, that will email or contact everyone on their contact lists in an attempt to infect their associates as well. So internet safety can be tricky.
Below, I will summarize exactly what steps a casual user should take to be safe, as outlined in this article. As always, I invite intelligent commentary and discussion, and reserve the right to delete stupidity as I see fit ;-P
Link Safety 101
1. Avoid unknown links
2. Use web-based email rather than client based email (like MS Outlook).
4. Run those browsers in Incognito or Private mode
6. Download Sandboxie, and run your browser sandboxed, this is maybe your best protection of all.
7. Finally, add a decent VPN like Softether VPN.
Happy surfing...be safe.