Researchers have found a new phishing tactic which uses Google Accelerated Mobile Pages (AMP) to make URLs look trustworthy. The tactic is designed to slip past both software and users on the lookout for strange and untrustworthy domain names.
AMP is an open-source HTML framework designed to make web content load faster on mobile devices. The framework was originally created by Google, but over 30 news publishers and several technology companies have collaborated on the project.
AMP works by stripping bloat from web pages by forcing heavy restrictions on the kind of code that can be included. If it’s slow, you can’t have it. The stripped down pages are served from caches so they load faster, and the most popular cache by far is Google’s.
The phishing technique uses the URL of a web page cached by the Google AMP Viewer. For example, the home page of the website example.com would appear in the Google AMP Viewer as
https://www.google.com/amp/s/example.comAlthough they look similar, and both contain ‘example.com’, the crucial difference is the first is served from the example.com domain and the second is served from the google.com domain.
Because of that, it’s just another web page on the google.com website and therefore inherits alll the trust that very well known domain name carries with both individuals and software, like email filters. And while it’s possible to block everything under https://google.com/amp/s/, that would inevitably block huge numbers of legitimate websites as well.
Threat actors can use this technique to cloak malicious websites in the legitimacy of the google.com domain, or they can use it to trigger redirects from the AMP URL to a malicious site.
The researchers found that the Google AMP URLs have proven to be very successful at reaching users, even in environments protected by secure email gateways.
Alongside the use of AMP URLs, the researchers also saw:
- Open redirects on trusted domains like microsoft.com being used.
- Chains of redirects linking the AMP URL to the malicious site, not just a single redirect.
- Image-based phishing emails that bypass filters looking for common phrases in text.
- CAPTCHA services used to disrupt automated analysis.
Using CAPTCHAs, the attackers try to keep automated crawlers belonging to security vendors and researchers out, and only let humans through that are rife to be phished. I used the word “try” in that last sentence on purpose because there are several crawlers out there that are equipped with CAPTCHA solving abilities that outperform mine.
How to avoid phishing attacks
- Don’t take things at face value. Phishing attacks often seem to come from people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
- Take action. If you receive a phishing attempt at work, report it to your IT or security team. If you fall for a phish, make your data useless: If you entered a password, change it, if you entered credit card details, cancel the card.
- Use a password manager. Password managers can create, remember, and fill in passwords for you. They protect you against phishing because they won’t enter your credentials into a fake site.
- Use a FIDO2 2FA device. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.
