MAR 31, 2020
Detecting Fraudulent or Malicious Websites
Gemini’s security team proactively monitors for illegitimate websites that pose a risk to our customers. If you know what to look for these sites are often easy to identify. Based on our experience we wanted to share some security best practices that can help you quickly spot risky websites and associated scams.
The Basics of Identifying Fraudulent or Malicious Websites
Many fraudulent or malicious websites rely on impersonating a trusted website. This is typically done through the manipulation of URLs and hyperlinks.
Go Direct. The easiest way to avoid an untrustworthy website is to avoid clicking on a link and instead go to a trusted website through a search engine or by typing the URL directly into the browser.
Check the Address. Sometimes it’s not easy to browse directly to a website and we need to click a hyperlink. To reveal the URL that a hyperlink references, on your desktop computer, simply move your mouse over the link (don’t click it). For Chrome and Firefox, the full URL for the link will appear in the bottom left of the browser.
Uncover Shortened and Unknown URLs. Any URL can redirect you to another location. When you see a shortened URL that you may suspect is malicious or a URL that is unknown, you’ll need to use a site like URLscan.io to help reveal the true URL.¹
Once you have the true URL, you’ll need to determine if it’s a legitimate site. In most cases it should be apparent.
Examine URLs Closely. There are some techniques that can be used to trick users into thinking a URL is trustworthy, when in fact it is not. Internationalized Domain Name (IDN) homography attacks use look-alike characters to trick users into believing they are accessing the correct URL. Examples include replacing the letter “O” with a zero or the letter “I” with the number one. Chrome and Safari resolve these deceptions when you move your mouse over a link, making them easy to spot. Firefox by default does not — although it is configurable.
Advanced Tactics for Identifying Fraudulent or Malicious Websites
If, after all these steps, you’re still not sure a site is trustworthy, you should probably avoid it. However, if that’s not an option and you’re determined to proceed, there are more steps you can take to determine a website’s trustworthiness.
Assess Observed Malicious Activity. Using a scoring system, sites like [URLscan.io] take into account different data sources and page characteristics to determine the likelihood a site is malicious. Below is an example from URLscan.io of a warning displayed for a known phishing site.
Validate Certificate Information. Today, most websites utilize Transport Layer Security (TLS) and underlying certificates. These certificates contain valuable information that can be used to gain a better understanding about a website.
There are three types of certificates:
- Domain Validated (DV): cheap and easily obtainable
- Organization Validated (OV): require a registrar to verify a company’s identity, providing an additional level of assurance
- Extended Validation (EV): most difficult and expensive to obtain, providing the highest level of assurance
A DV certificate contains no identifying information in the organization name field; instead it will typically just repeat the domain name. An OV certificate will include the name of the organization and an EV certificate will contain the name of the organization and the physical address. To check if a site uses an EV certificate, you can use SSL Labs.
Certificates are strong indicators, but not a guarantee, of a site’s relative trustworthiness.
Check the Domain Registration Date. Malicious actors tend to create a domain just before use. As a result, if a domain is fairly new, it has a substantially higher chance of being malicious. Legitimate sites don’t often register a domain and then launch an e-commerce site in weeks. Although there will always be exceptions, domain registration date is another piece of information that can be used to determine potential scams or malicious sites.
Preview the Website. Although visiting an untrustworthy site can be risky, viewing a picture of the site won’t cause harm to your computer or result in the loss of personal information. Services like URLscan.io remotely view and capture an image of the site you’ve requested allowing you to take a peek at the site without taking the risk of actually visiting the site itself. With an image, you can assess the site for pixelated images, poor grammar, sloppy design, or other telltale signs of an untrustworthy site. If it looks unprofessional it’s likely not legitimate.
Preparing for Failure
Eventually everyone clicks on a link or visits a website that contains malicious content. The good news is that when properly used, most modern web browsers and accompanying extensions can act as a security boundary.
Update Your Browser. Modern browsers are very secure if they’re up-to-date and conveniently most now auto-update by default. But, in order to complete an update, you need to restart your browser periodically. Keeping your browser up-to-date, avoids most problems.
Block Malicious Content. Malicious content in websites can be hosted in ad networks and/or be present in active website content. There are a number of third-party extensions for major browsers that block or reduce the amount of ads and active content rendered when visiting a website. uBlock origin is a popular ad-blocking extension that is easy to operate and has minimal impact on normal browsing. Although more difficult to use, NoScript is an example of a popular and highly effective extension that blocks active content.
Use a Password Manager. In addition to all of their traditional benefits, password managers also only fill out account details on saved sites. So, if you visit a phishing site that is attempting to steal your credentials, the password manager won’t automatically populate your credentials and in some cases may even provide a warning.
Arming You With Knowledge to Protect Yourself
Fraudulent and malicious websites cost consumers hundreds of millions of dollars every year. Hopefully these security best practices will help you to identify and avoid malicious websites. Read our Common Online Scams and How to Avoid Them post to further help you protect yourself and always remember to use caution and good judgement online. Stay safe out there.
Onward and Upward,
Dave Damato, Chief Security Officer
¹ Limit URLs submitted to third parties to those you suspect are malicious. Legitimate URLs that reference sensitive information could be viewable by a third party.