The internet can be a safe place from malware and scams if one is aware of what's going on. Sometimes, when there's a good phishing email, I'll open up burp to check out what configuration they have and see how they managed to do the things they were doing out of curiosity.
When doing something sketchy (clicking phishing links, navigating onion sites, etc.), never: use your real name, give your phone number, give your credit card number, give your social security number, etc.
When you hover over a link, your web browser should tell you where the link is leading to (Firefox shows it on the bottom left). Pay attention to this path. Does it look weird? Sadly, to obfuscate the final destination, many malicious actors will redirect the link multiple times so it may take some time to find the final destination. Using curl, you can follow the redirects over and over again until you get to your final page. Amazon is not very nice and will consistently send malicious looking links in their emails.
If you're following links via email (don't, but), I recommend you open the source code of the email and look for
Return-Path: rather than
Sender: because people can simply edit the
Sender: email to whatever they want, and if it gets past your spam filter (which it probably won't), your email client may show you that it's sent from someone, and being sent to someone else. Technically, one can also edit the
Return-Path: , and I'm not technical (or spammy) enough with email to recognize what can be spoofed and what cannot. Simply look at the header of your email and check around at the header lines (ignoring any
X-* stuff) to see if anything is fishy with the link. Finally, if someone's email account is compromised, there's no way to validate any of this stuff, because they are genuinely sending you a malicious email from a genuine return address.
In the end, if you're tech savvy enough, check out the certificate of the website. Using openssl,
openssl s_client -connect $1:443
$1 is any link (
facebook.com, etc.), or set this in a bash script. This will give you information about the certificate. A website like Google or Facebook will give you a good, basic certificate.
... subject=C = US, ST = California, L = Menlo Park, O = "Facebook, Inc.", CN = *.facebook.com issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA ...
Or for Google,
... subject=CN = *.google.com issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1C3 ...
Again, Amazon does not seem to care, and gives you a suspicious looking certificate (it's not something like
... subject=CN = *.peg.a2z.com issuer=C = US, O = DigiCert Inc, CN = DigiCert Global CA G2 ...
Just remember that anyone can buy a DigiCert certificate. If a link has a DigiCert certificate, it may just mean that someone spent $50 to get that certificate. Certificates are not the most trustworthy; spammers will find a loophole that DigiCert has tried to cover up, but if spammers are lazy (and most are), you will see a certificate from Let's Encrypt. It's good for user sites, but would Amazon use Let's Encrypt? No. So, if you see a link that connects to "amazon.com" and you check the link with openssl and it's Let's Encrypt, something is fishy and caution should be taken there.
www.navy.mil use Let's Encrypt?
... subject=CN = www.navy.mil issuer=C = US, O = Let's Encrypt, CN = R3 ...
O-oh. Okay. They actually do use Let's Encrypt. If you're in the military, you should know that a
mil TLD should indicate a
shitty secure website.
1. Navigate to