How can I safely check whether an email link leads to a malicious website?
VPN Virtual Machine View-Source for those who know Javascript
[Tinfoil Hat (Mythic Warforged)] here.
If you are handy with Javascript and the like, I've always appreciated view-source:http://www.webaddress.com/ from the URL bar. For added tinfoil, do it behind a VPN, and a Virtual Machine.
The VPN is necessary just in case the attacker expects you to visit personally from your actual IP address. Your access attempt will show up in the visitor logs, but if they just get a random VPN, then Ho Ho Howned.
And the Virtual Machine is, of course, there to prevent strange attacks against the view-source page, which may or may not exist. Will not help against VM-escaping thingmabobs. Alternatively, you can programmatically open a socket connection (be wary of vulnerabilities in your chosen language) while behind a VPN, and use GET /page.html HTTP/1.0 to grab the HTML page, and then do the same for accompanying Javascript.
Look for funny things like zzz.saveToFile(), which usually indicate a drive-by download attempt. Same with intentionally obfuscated Javascript; it should not be trusted. Keep in mind that Minification and obfuscation are two different things.
Developer Console Watching (F12)
If you are handy with web development, and you want to see exactly what kind of odd funkiness is going on without having to completely follow the script line-by-line, then you can monitor changes as they happen with the developer console. This allows you to load the results of off-site/off-page Javascript that is generated dynamically.
Temporary Folder Watching
This is assuming you're behind a virtual machine. Obviously, you would not want to try this on your main machine.
Don't forget your temporary folder, which is usually %TEMP%. With drive-by downloads, they usually start saving executables to %TEMP%. You can see if such a thing occurs when you visit a page. They can be saved as .tmp files, which are later renamed to .exe. This is usually discovered by a function that looks like x.saveToFile()
Reset your Virtual Machine when you're done
Don't forget to reset your VM's state/snapshoot afterwards. You don't want to be infected long-term.
The other answers cover the threats to your computer quite well. However there is a further threat that was not covered. It is possible that URL's are unique to each recipient, allowing the hacker to identify emails that are:
- Active
- Susceptible to social engineering (clicked a link from a friend)
- Not necessarily Computer Security savvy (clicked a link from a friend)
Once the attacker has this data they have significantly narrowed the target list, allowing the follow up actions to be targeted and to avoid expending resources on inactive\ hard targets.
In this case the web pages may not be evil (but always assume that they are). They many only exist to detect that the link was clicked.
Suggestion would be:
- Buy a cheap laptop
- Rip out the disk and graphics card
- Run OS from DVD (possibly special customized for your needs)
- Connect on an internet connection that share no other devices* Use VPN service and set your own DNS servers for decent anonymity**
With no disk space and no graphics card it is hard, yet not impossible to corrupt your system.
Every time you reboot the computer, its clean the way you set it up on the DVD.
If you want to get paranoid for real, you can also every time insert a BIOS flash-utility DVD and restore your BIOS.
Nothing is ever 100% though. Unless you automate the process, the biggest fail point is that you will do it wrong number x'th time.
*Do not forget your mobile phone, your smart-TV, your nanny-cam etc if you have an LAN. I'd go cable and skip all wi-fi.
**Point here is that you do not want someone connecting your email address with your IP + True Identity. But that is a bigger issue.