Defanging the URLs and keep yourself SAFE!
Hey there amazing hackers, how are you doing? I hope you and your families are healthy and happy as always. I am back with another blog which will be super interesting (it is at least to me!). When I was researching about Email Security, I found this particular topic URL Defang so interesting, that it gained my attention.
Enough for the prologue, let’s dive in.
Well, you guys already know that security researchers always state that we shouldn’t be opening any unknown documents we received in our emails because we don’t know if they are safe or we shouldn’t click unknown links because it can be a malicious link, which can result in leak of our information.
There are certain ways which an email can raise our suspicion like :
- email address sent from public and not from legit source like google’s @gmail.com.
- Spelling mistakes in email.
- Poorly written content.
- Unknown attachments.
- Some URLs wearing mask of bit.ly.
- message creates a sense of urgency.
- and so on.
Well, we will be focusing on email links which is by nature can be malicious. Specifically we’re going to focus on Defanging URLs and not the theory of email links et cetera.
Emails
Emails have been there around since 1965 and are used by people/organization all around the world on daily basis. With increase in number of emails, there have been lot of emails or, specifically phishing emails, which attackers tries to attack people usually by sending them emails containing malicious document or a malicious link. When a user opens up a document, there might be a malware installed on the user’s system without their knowledge or when they click on the unknown link, which usually seems trustworthy, they will be taken to a website usually hosted by the attacker so that they can either capture the user credentials in some way or they can force them to download a particular malware which is often masqueraded as anti-virus.
But today, many people and organizations are spreading knowledge about email security so that more and more people come to know about this so that they can be safe while handling such emails.
Screenshot of a Legit Email
Let’s focus on a screenshot of an legit email from google.com for accounts password recovery,
We can see in this screenshot that the mail I got from google is regarding the password reset (see my email ID which I obfuscated). This mail is a legit email sent by google (see Google’s sender mail address). This mail is sent to me when I requested for my password reset.
Note : Be very careful while reading these emails. Do not ignore them. If you haven’t issued such request, CANCEL IT, change your password if you see any unusual activity like someone else logged in recently as your account, and enable MFA, or Multi-Factor Authentication!!
Screenshot of a Suspicious Email
Now, focus on a screenshot of an suspicious email where I got the nominated for something nonsense that I don’t even know. But, that’s that.
Moving forward, I have highlighted all the details, so please take a look at these images carefully.
Starting off with the title of the blog, this came off too blunt to be true and kept me wondering, “how the how I am being nominated and for what?”. Next, the sender’s email address — oh my god, like seriously? Too smart to be good. Moving forward with body content, and like I said, I was laughing very hard,
Well, after hovering the mouse point on Jumbo Brown Button, I can see the hyperlink which looks suspicious. Let’s copy the link by right clicking on the Big Jumbo dumbo button and then click on Copy Link button,
Now, let’s navigate to Virustotal and throw the copied link in search bar and we can see that none of the Anti-virus shows this link is not suspicious. That’s very strange but whatever, I won’t open these links in my browser anyways.
In case, if some of you don’t know about Virustotal — It is a free service where bunch of Anti-viruses which scan a particular file, a hash, or a URL for viruses, malwares, or other malicious content.
I have a healthy habit of not clicking such links which can lead me to enter a pitfall but it might be possible that I might click 5 links out of 500. Now, you might be wondering that if I clicked on the link even by-mistake, won’t it be trouble for me? It might be, but fortunately, I am safe. But, it DOESN’T mean that you should open up the link as who knows what’s waiting for you there.
Now, enough of my rambling on emails and screenshots as you might be thinking by now that why I am showing you all the stuffs. That’s because it’s necessary to pick up pace from base level knowledge.
Defang ‘em
We just saw the suspicious link in unknown email and we straightaway recognize that email is not a legit one so it might be possible that someone sent me a phishing link. Uhh ohh!! But, we are safe till the moment we clicked on the link, else, we don’t know what will happen after we clicked on those links. So why don’t we Defang these URLs to make this thing less malicious?
Hey, Hellfire, what did you just say? Umm… Defang? What?
Okay, so let’s take a pause and understand the meaning of the term Defang. So, Defanging of URL means making a standard clickable URL into non-clickable URL.
But now a question arises,
1. why defang the urls?
2. Who cares to defang them?
3. But, if it’s important, how can we defang them?
Okay okay, I’ll answer them all. The answer is quite simple:
1. To make malicious links non-working, so even if by-mistake you clicked on any of the link, it won’t work at all and you will be safe.
2. Okay, if we don’t want to defang them, it’s okay. But be sure to never click on these links even by-mistakes as you might not be fortunate like me every time.
3. It’s not like necessary or 1000000% most important thing to defang URL, but it’s a healthy habit that one can make routine while sending mails so that receiver can be much safer while checking mails and they clicked on these links accidentally.
For example:
Original URL : (if you click on this URL, you will be taken to Google or Microsoft webpage),
Defanged URL : (Even if you try to click on this URL, it won’t work and you manually have to remove square brackets and paste the links by yourself into the browser.),
- hXXps://google[.]com
- hXXps://microsoft[.]com
This is a healthy habit of making URL defanged as even if a person clicks on the link by-mistake, they are definitely safe because the link won’t work and they have to manually work to land on a page of the specified link.
So, what we know about defanged URLs, is that replace t with X, so http will become hXXp, https will become hXXps, ftp will become fXp, etc.
Little Fun by doing Practical
There’s actually a python library which we can use to defang the URLs from command line, which can be found at defang.
So let’s install this library in our terminal,
pip install defang
this library is already installed on my system but for you, it will install this library and the dependencies.
We can defang the URL individually,
echo "https://www.google.com" | defang
We can defang all the URLs in the text file as well,
cat url.txt | defang
We can process an existing file to defang all URLs,
cat url.txt
cat url.txt | defang | tee safeurls.txt
cat safeurls.txt
We can also run this library from python interpreter,
python
from defang import defang
u="https://google.com"
defang(u)
Let’s take another domain name,
u="https://www.example.com"
defang(u, colon=True)
defang(u, all_dots=True)
Here, we have first assign the URL to u variable and then using first method, python interpreter will add square brackets around colons. Using second method, python interpreter will add square brackets around all dots in the URL.
So so, I will drop my pen down as I am getting out of words right now. But, honestly, this is it. All this I wrote down was one of the great things I have ever learned off. So I hope, from my core, that you enjoy reading and getting familiar with Defanging URLs and how can we make ourselves secure more than ever.
Alright fam, take good care of your self, sleep, workout, meditate and eat healthy food. Also, drink lot of water. See you guys soon. Until next time. (:
