You probably visit tens, if not hundreds, of websites daily. You read a news article here, check your social media there, then you watch a TV show on a streaming website, and click on a link your friend sent you. However, are you sure that all the websites you’re visiting are safe and that none of them is, for example, a phishing site?

In this article, we look at some simple steps you can take to investigate whether the website you land on is safe and secure and you aren’t at risk of losing your data or downloading malware onto your device.

Out of character: Beware of misspelled URLs and ambiguous characters

Homoglyph, also known as homograph, attacks and misspelled or otherwise deceptive URLs are among the most common tactics cybercriminals use to trick people into visiting their malicious websites. While it may sound that you’ll get hit over the head with a dictionary, in reality, a homoglyph attack occurs when threat actors register domains whose names are very similar to others but use visually ambiguous characters, or it contains an indiscernible addition.

To illustrate, imagine misspelling “Microsoft” in a domain name like “rnicrosoft.com” where the “r” followed by “n” can be misrecognized as “m” (depending on the font, point size and care the reader exercises). Or, one or both “o” characters in “facebook” can be substituted with a Greek omicron “ο” in a domain name like “faceboοk.com” (in case you cannot tell, the second “o” has been replaced with an omicron “ο”  here).

 

Figure 1. The first version uses an omicron instead of an “o”. While there’s most probably no such thing as a .com domain where the middle character is an omicron, the image above should help drive the point home. Check out also Spoofed URLs: Homograph Attacks Revisited.

A closely related form of subterfuge, commonly called typosquatting, involves registering domain names matching popular sites but with common typos, such as “gogle.com” and “gooogle.com”. Both of those examples are now owned by Google and redirect to the “intended” site, but there are many, many, possibilities; consider the keyboard map below showing the extent to which Facebook has gone to protect against just typos affecting, the last letter of “facebook” in its domain name.

Figure 2. To protect from typosquatting Facebook has registered, among others, domains with just the “k” replaced with letters indicated in cyan and redirects their web requests to the real facebook.com domain. Those indicated in yellow are registered by others and run webservers, whereas those in white are either unregistered or have no active webserver at the time of writing.
[Copyright WeLiveSecurity, 2021. Adapted from Brilliantwiki2’s original. Creative Commons License This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.]

 

Of course, the spoofed website will be designed to look indistinguishable from the original to trick you even further. So be extra careful when copy-pasting a URL or directly clicking on one and always double-check if you’re on the correct website. Some security products may include homoglyph attack detection, so they should notify if you’re accessing a suspicious web page.

Check if a website is malicious

If you have a feeling that there’s something off about the website you’re visiting, or better yet, considering visiting but have not done so yet, you can use a number of online tools to check whether it is malicious.

Google, for one, offers its Safe Browsing site status tool where you can paste a website’s URL and the tool will tell you whether the site is safe or not. Another similar tool you can use is VirusTotal’s URL checker, which analyzes the website’s address and checks it against numerous top-tier antivirus engines and website scanning engines and gives you an indication of whether a particular URL might be malicious. But even if it scans "clean", more digging may be in order: see these tools compiled by SANS instructor Lenny Zeltser.

Alternatively, you can also conduct a whois query to find out who owns the domain you’re visiting. whois is a record listing information about the domain you’re searching for and the information may include who owns it, when and where it was registered and how to get in contact with the owner. To carry out a whois query you’ll have to go to a dedicated website and then enter the address of the website you’re searching for.

One of the pieces of information you should be looking out for is whether the domain is freshly registered, which could be an indicator that it could be malicious. For example, what should be Facebook will not be a domain first registered in February 2021. Another sign that the domain might be malicious is if you click on “show more data” and it is incomplete or riddled with typos; however, in some cases that might be attributed to people being careless when filling out the registration data.

Look for a privacy policy

If you’re perusing a website and you’re on the fence about whether it is legitimate or not, one thing to check would be whether there’s a privacy policy. Each legitimate website should have one, since they are required by data protection laws to explain how the website safeguards and handles user data.


privacy-policy-stock-image
 

Businesses that run afoul of data protection rules, notably the European Union’s General Data Protection Regulation (GDPR), may face serious consequences for privacy and security lapses. So if a website doesn’t have a privacy policy or has one that seems lacking, it should be a pretty good sign that it doesn’t care for the strict data protection laws that are enforced around the world and something is afoot.

Find contact information

Any legitimate company that is interested in building a lasting relationship with its customers will have contact information listed somewhere on its web page in case something goes wrong. Usually, it consists of a contact form, email, snail mail address or phone number. There are several warning signs that you should be on the lookout for when trying ascertain if you’re dealing with a serious or legitimate business.

For example, if you try calling the listed phone number and it is disconnected or the person that picks up doesn’t sound professional, you’re most probably dealing with a scam. If it passes that test, then double-check by performing a quick Google search for the company’s official contact information and call that number for good measure.

Check for the “S” in HTTPS, but...

A widely used rule of thumb to check whether a website is safe is checking if it uses the HTTPS protocol. While HTTPS has often been presented as the be-all and end-all of website safety measures, in actual reality things are more complicated. HTTPS only ensures that communications between the web server and the visitor’s web browser are strongly encrypted. That provides security from eavesdropping, making it safe to log into, say, your bank’s website or another website that asks you to sign in.

Figure 3. A secure connection to a website

However, it does nothing to address the critical issue of how you can easily tell whether the site you are securely communicating with really is your bank’s website or just a good facsimile designed to steal your login credentials.

Nowadays, cybercriminals can just as easily obtain a completely valid SSL/TLS certificate for their fraudulent websites, the same way a legitimate business can. And since obtaining a valid certificate has become cheaper (even free) and they are now easier to implement, cases of cybercriminals using them to dupe people into believing that their fake websites are “safe” will only grow.

The bottom line is that the majority of websites on the internet now use either SSL or TLS, so that really isn’t an indicator of whether the website you are visiting is safe. You should take it as just one part of a larger puzzle and look for other signs that something is amiss. Indeed, you should inspect the website as a whole and see whether multiple things stand out, including the other indicators we plotted out in this article.

Where certificates are concerned, a good reference would be looking at what services the website offers, and which organization issued its SSL/TLS certificate. If the data it handles is of sensitive nature but the certificate provided is free or low cost, you should probably become quite suspicious and investigate the website more thoroughly. To check for the validation of the certificate and whether it was issued by a trusted organization, you can click on the padlock icon in your browser’s address bar.

Use a reputable security solution

Using a comprehensive, reputable security solution can go a long way toward protecting against most cyberthreats, including malicious websites. Security software will usually analyze the webpage with a built-in scanning engine that looks for malicious content and will bar access to the website if it detects anything that may pose a threat. This prevents any malicious content from being downloaded.

The security tool will also compare the website against a blocklist of known malicious websites and block access if it finds a match. Reputable security solutions usually also utilize anti-phishing technology, which protects you from attempts to acquire passwords, banking data, and other sensitive information from fake websites masquerading as legitimate ones. When you attempt to access a URL, the security solution compares it against a database of phishing sites and, if a match is found, it will immediately terminate your access and an alert will appear warning you of the danger.

Final thoughts

You might now feel that this is a tall order of things you should do to remain safe. Indeed, there are other things you really ought to pay attention to as well, such as whether a website has weird ads incessantly popping up all over the place, or whether a website is riddled with errors and bad grammar, which may indicate that you have stumbled upon a fraudulent website.

Anyway, to sum it up, you should be on the lookout for misspelling in the website’s URL, scrutinize its security certificate, and preferably try to manually type out the address or use only trustworthy links.