How can I Tell if Email Links or Attachments are Safe?

I’ve been getting a lot of questions on how to tell if an attachment or link is valid or malicious. Although I’ve mentioned these methods in a variety of posts, I’ve never put all of this  information in one place. So here it is: a compendium of information on keeping yourself safe from malicious email links and attachments. I will not focus on more sophisticated spearphishing attacks here, only on regular spamming or hacking attacks. For those interested in more targeted email attacks, see my post on spearphishing emails.

How Attackers Avoid Your Spam Filters

 Keep in mind that most spammers pay marketers to get them into your inbox. Of course, that’s just the first part of the story. The spammer attack mode is 1) get into the inbox, 2) get the email opened, and 3) get the link clicked.

To avoid the spam filter, the email must seem legitimate. It must seem to have a legitimate return address, a believable subject line, and valid links in the body of the email. Legitimate email return addresses are easy enough to make for a dedicated hacker. The mass spammer, however, doesn’t much care what their email address looks like and it’s pretty easy for you or the spam filter to figure out that it’s not legitimate. Your own email address may have been gleaned from bot programs which scour the internet looking for valid addresses that you may have posted there. The truth is that you have probably given your email address to many people or websites. For this reason, spam marketers have lists of email addresses that they are willing to sell to clients. Finally, hackers who have compromised large websites that hold large amounts of personal data may have got hold of your address during the hacking and sold the information to spammers or criminals. Some spammers only have your name and may use it in the return address fields when they send fake emails to people they’ve learned you are connected to. The email address will be fake, but they hope the victim will be fooled by seeing your name and ignore the invalid email address. They may, for example, know Joe Smith and see the following in the return field: Joe Smith <Jsmith@xyz.com>.

Keep in mind that the privacy of your email address is only as good as the security behavior of your contacts. The more contacts you have, the more chances your email address has been compromised. You may even receive an email from one of these contact addresses that is, in fact, malicious, having been sent by a spammer or hacker who has compromised the contact’s email. Naturally, your spam filter won’t block emails from legitimate contact addresses. To determine if such an email is an attempted hack, first look at the subject line. If it is something simple like, “Hi” or “How are you?”  (often including your name) be suspicious. Be even more suspicious if they ask you to follow a link or download an attachment.

Testing the Link in an Email

But we are all curious. What if it really is a valid file or link sent by an ex-boy or girlfriend? Can you really stop yourself from looking at it? Probably not. But you can take a few preventative steps. You can hover the cursor over the link to see if it really goes where it says it will. Hovering will show the true address, often in the lower left corner of the screen. If you are still suspicious, copy the link by right clicking on it and choosing the “copy link” option, then, go to a site like VirusTotal and paste the link in the URL search box. It will be analyzed for its maliciousness. If it is only a spam link to some site trying to sell you something, it will be regarded as ‘safe’. You may get mixed results. When I use this site, even one suspicious analysis is enough to keep me away.

Keep in mind that links can be faked. I made the following link to look valid but hover over it and you will see where it will really take you (look in the lower left hand part of the screen for most browsers).

http://google.com

Spammers use similar tricks with links to special offers. The following image appears to be offering you a special deal.

outback-spam

This and other similar gift cards may look real enough and many such cards are based on actual gift card designs. The gift cards may even seem to come from friends. It is, in fact, spam which is trying to get you to visit some other site to sell you something or to make you give them personal information. The whole image is designed as a link. Don’t worry, I’ve removed the original link and replaced it with a harmless, but real one, which you can see by hovering over any part of the image. You don’t need to click the parts that say, ‘click’, and even if you click the unsubscribe link in the body of the email, you will always go to the same place. (In fact, many people are fooled by thinking “unsubscribe” links will really work.) That’s why my email provider tossed it into the spam folder. Nonetheless, people are continually fooled by fake gift card offers all the time, especially during the holiday season.

Testing an Email Attachment

 First of all, be wary of all attachments. The general rule is never to open attachments with unusual extensions or with .zip or .exe extensions. Don’t worry if you have Gmail because it will reject emails that come with attachments having .exe, .zip, .tar, .tgz, .taz, .z, or .gz extensions. Attackers may try to hide or obscure the real extension using a number of tricks. One attack uses a fake .doc extension which will open MS Word and automatically install malware. Be sure to disable macros in Microsoft Word or a malware exploit can use this to install spyware on your computer or device. I made the following image to obscure the fact that this is not a Word document. I linked it to another website, but I could have done much more.

resume2

Let’s assume that you received an email from a friend or trusted enterprise, such as a bank, and you really feel the need to check out the attachment that is included. This is the tough decision that many people face daily. If all the other aspects of the email check out, you may feel safe in downloading and opening the attachment. If you have doubts, contact the sender by an alternate email address, by phone, or in person. Remember that you can download any attachment without infecting your computer or device. As long as you do not try to open it, it is harmless. In fact, one way to test whether the attachment is safe is to download it and scan it with your own antivirus software. So, if the antivirus detects nothing malicious, is it safe to open the file? Well, most of the time, yes, however, there is always the chance that a clever malware designer has found ways to bypass or compromise the antivirus detection or they may be using malware that is currently unknown and, therefore, not in the antivirus database.

There are more advanced techniques for testing suspicious attachments, such as opening them in containers or in computers not connected to a network and that you don’t care if you infect or not, but these are beyond the needs of the average email user so I will not include a discussion of them here. For those interested in these techniques, I suggest a discussion that takes place on this website.

Following the above strategies should keep the average user safe from 99% of all malicious links or attachments. Nothing is perfect, but the odds are decidedly in your favor.

About Steve Mierzejewski

Marketing consultant for InZero Systems, developer of the next generation in hardware-separated security, WorkPlay Technology. I've worked in Poland, Japan, Korea, China, and Afghanistan. I'm a writer, technical editor, and an educator. I also do some work as a test developer for Michigan State University.
This entry was posted in Uncategorized and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s