Beware of a new kind of phishing scam that abuses Google Search’s open redirect feature. This way, scammers try to trick users into revealing their login credentials. Security researchers have come across phishing URLs that surprisingly look trustworthy at first. These URLs point to Google. However, a brief inspection of these URLs would reveal they append Google search’s open redirect HTTP parameter. This way, scammers try to redirect users to malicious, phishing websites.
Scammers are abusing Google Search’s Open Redirect feature
In its recent blog post, Sophos has revealed the URL format that appends Google search’s open redirect parameter, and it looks something like this:
“Over the years, scammers have realised that keeping things simple works for them, and the simplest message of all is like this one – nothing more than a malicious link.”
What poses the security challenge
First things first, the web URL seems trustworthy because it adds a link to Google. Experts often warn users against URLs that look suspicious. But in this case, users don’t find anything wrong since the landing page belongs to the Google website. Once users click on the URL, they come across a redirect notice: The page you were on is trying to send you to [malicious website URL].
Most users may find it convincing given the fact that it was redirected by Google, and this is what poses the security challenge. A couple of years ago, scammers were caught abusing open redirect flaw in Google Maps.
Interestingly, such phishing URLs include a unique identifier in the form of parameters such as sa=t and usg. This way, hackers try to avoid the open redirect notice “The page you were on is trying to send you to an invalid URL.”
Security researchers also say Google doesn’t consider open redirects to be a security issue, to begin with. Researchers also offer some preventive measures, as follows:
- Don’t be taken in by the sender’s name
- Don’t feel pressured into clicking a link
- Check URLs before you click
- Use training and web filtering to avoid malicious sites