What is the best way for a non-expert to visit a probably malicious web site?
What is the best way for someone who is not a professional security expert to visit a web site that is suspected, with high confidence, to be malicious but has a high value if not?
This question was prompted by this article discussing this paper on spearphishing, which included an example of such an email, which a "hit" being classed as someone clicking the link.
As an academic I am somewhat familiar with such unsolicited emails, the most frequent are offering speaking opportunities at predatory conferences. The problem with such emails is that they are difficult to distinguish from the non-predatory speaking and collaboration opportunities, and the recommendations for identifying them include visiting their web site. If one simply rejects all such offers from unsolicited emails then one will miss opportunities that can be important, particularly for early career academics.
If one defines best as a combination of easy, safe and with a good chance of getting the information one requires what is the best way to visit a web site that one strongly suspects is malicious in some way, but it is worth some effort because the payoff if it is legitimate is high?
Without knowing much about security the options that occur to me are:
- Visit the site with javascript turned off
- This is easy, but I do not know how safe it is and many legitimate web sites will fail without javascript
- Use a Virtual Machine
- If one has say VirtualBox with a linux image running it would be relatively easy to visit the site in a browser in the machine. I do not know how much safety that provides against real world attackers.
- Use a machine booted from a LiveUSB stick
- This is a little bit of hassle, but it seems the safest.