URL Abuse and Security Testing
URL Abuse is a public CIRCL service to review the security of an URL (internet link). Users regularly encounter links while browsing the Internet or receiving emails. When there are some doubts regarding an URL (e.g. potential phishing attacks or malicious links), users can submit an URL for review via URL abuse.
How to use the service?
How to interpret the data?
There are 4 different color codes used in the URL Abuse application:
- Red means there are strong evidences the submission is a malicious link (e.g. an infected website, a known phishing website)
- Yellow means there are some evidences the submission is a potential malicious link (e.g. some A/V detected the link as being malicious)
- Green means the link is known to be safe (or currently not detected as malicious)
- Blue means there is additional information
What does the service do?
URL Abuse performs multiple tests in order to review the security:
- Redirect link analysis (where are the redirections pointing to and reviewing each entry)
- Checking each link against various security black lists (like VirusTotal and Google SafeBrowsing) and EU Phishing Initiative
- Review the current known associated DNS entries using CIRCL Passive DNS
- Review the current known associated SSL certificate using CIRCL Passive SSL
- Review the classification of the ISP hosting the links via CIRCL BGP Ranking
Where are the URLs submitted?
As URL Abuse performs multiple tests as described above, URLs are submitted to different CIRCL services but also external services like VirusTotal or EU Phishing Initiative. CIRCL uses the URLs to improve classification of malicious URLs or passive DNS data. If the URLs are sent to CIRCL via the “Send report to CIRCL”, CIRCL will review the maliciousness level of the URL and notify owner or/and hosting companies of the URLs to review the security and proceed to a clean-up if required.
What kind of information is kept when the URL is reported?
When you click on “Send report to CIRCL”, the following information is kept from the submission:
- The source IP address (IPv4 or IPv6 address) of the submitter
- and, obviously, the URL submitted
The submitter should also review the URL to ensure that no personally identifiable information is included.
IP addresses from anonymity networks (e.g. Tor) are allowed to use the service.
Contributing to URL Abuse
URL Abuse source code
The architecture of the URL Abuse software is modular. So you can contribute easily additional modules or expand the interface to your own needs.
URL Abuse source code is available on GitHub.