Beyond the Facade: Unraveling URL Redirection in Google Services

In the murky waters of cyber threats, one tactic has steadily gained wide adoption: URL redirection in phishing attacks. This stealthy technique allows cybercriminals to cloak malicious links, making them appear harmless to unsuspecting users. Among the vast expanse of online services, various Google Services stand out as frequent targets for exploitation. Cybercriminals find it opportune ground to hide their nefarious intents behind seemingly innocuous links.

In the third quarter of 2023, a notable surge in phishing attacks surfaced that leveraged Google AMP (Accelerated Mobile Pages) and Google Apps Scripts to facilitate the attack. Google AMP is a developer framework offered by Google specifically for crafting quick-loading web pages for mobile devices. On the other hand, Google Apps Scripts is a scripting language for extending the functionality of various Google Workspace Apps like Google Sheets, Google Docs, and Google Drive. The attackers ingeniously use the developer URLs associated with these services as redirectors, creating a veil for their phishing websites.

In this first sample, the phishing email disguises itself as a Microsoft SharePoint notification about a shared file, which can be accessed through the link provided. Based on keywords used in the title of this supposed shared file, it appears that it contains information about a financial transaction that would benefit the victim/recipient.

Figure 1: Phishing email disguising as a SharePoint notification.

Figure 2: URL extracted from Figure 1 which leverage Google AMP as a redirector.

The visible link (Figure 2) in the email sample (Figure 1) redirects to another cloud storage service (Figure 3) owned by Swarm Foundation for the use of Ethereum, a form of cryptocurrency.

Figure 3: URL redirection of Figure 2 which leverage the storage service of Swarm Foundation.

This second sample, similar to the first, is where the emulated template notifies its user of a financial transaction, that of a failed payment.

Figure 4: Phishing email disguising as a Zoominfo notification.

Figure 5: URL extracted from Figure 4 which leverage Google AMP as a redirector.

The visible URL (Figure 5) redirects to another web service called Azure Front Door, a Content Delivery Network (CDN) from Microsoft that offers fast and reliable access to web content.

Figure 6: URL redirection of Figure 5 which leverage Microsoft's Azure Front Door service.

In the third sample, we can see an email sample disguised as a system upgrade notification instructing its victim to update their account by signing in through the link provided. This time, the threat actor leveraged another service called Google Apps Scripts. Google had already taken down the malicious macro code by the time we got our hands on the sample; however, while the URL is clearly out of place in notifications like this and is sure to raise red flags, it can still pass as legitimate to an untrained eye.

Figure 7: Phishing email disguised as a system update notification.

Figure 8: URL extracted from Figure 7 which leverage Google Apps Scripts.

Though we couldn't inspect the landing pages in the provided samples due to the URLs being taken down, the added complexity resulting from the involvement of genuine services in the redirection chain demands our attention. Google, among various other legitimate online services, is exploited by threat actors to sidestep email filters. The use of authentic domains not only provides a false sense of security but also lures unsuspecting victims into clicking on links, making this approach increasingly favored in phishing attacks.

It becomes crucial to heighten awareness by anticipating a surge in such tactics over time. Staying informed is key to protecting oneself against these evolving threats. Remain watchful and informed to better shield against these deceptive maneuvers.