Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Links Google Security The Internet

Scammers Are Using Google Maps To Skirt Link-Shortener Crackdown, Redirect Users To Dodgy Websites (theregister.co.uk) 85

According to security company Sophos, scam websites have been using obfuscated Google Maps links to redirect users to dodgy websites. The Register reports: The reason for this is Google's recent efforts to get rid of its Goo.gl URL-shortening service. The link-shortening site is a favorite for scammers looking to hide the actual address of pages. Without Goo.gl to pick on, scammers are now abusing a loophole in the Maps API that allows for redirects to be put into Google Maps URLs. This allows the attackers to chain the links to their scam pages within a link to Google Maps, essentially creating a more trustworthy URL that users are more likely to follow. The trick also has the benefit of being harder to catch and shut down than links made with the well-policed Goo.gl service. Because it uses Google Maps, there's no reporting structure in place to get the scammers shut down and the scammers don't have to use a Google-owned interface or API to do it.
This discussion has been archived. No new comments can be posted.

Scammers Are Using Google Maps To Skirt Link-Shortener Crackdown, Redirect Users To Dodgy Websites

Comments Filter:
  • The recent articles and corresponding actions of the big internet companies seem to push against basic redirect services. I am having a hard time understanding why. Makes me uncomfortable, but I can't explain why. Please enlighten me?
    • Re:Weird (Score:5, Informative)

      by Kaenneth ( 82978 ) on Wednesday May 02, 2018 @03:48AM (#56540252) Homepage Journal

      Because it's an abuse of what a URL should be.

      obfuscated URLs that hide their true destination are evil.

      • by Anonymous Coward

        Current URLs result from trying to make the browser into an OS...with apps, instead of the page reader it was originally.

      • by DarkOx ( 621550 )

        Exactly the 'RL' stands for resource locator almost by definition it should not obscure where something is going or where it will come from.

        I know there are some legitimate uses for shorteners; when you need to stuff an URL into a QR code or a SMS message etc. The reality is though its avenue for abuse is greater than its avenue for use.

        We tell users think / look before you click and than give them URLs that are opaque. Not good...

        Thanks to living in a world where LetsDecrypt has basically destroyed any n

        • Re: (Score:3, Insightful)

          by Opportunist ( 166417 )

          Thanks to living in a world where LetsDecrypt has basically destroyed any notion of responsible behavior by certificate issuers these shorteners are even more dangerous.

          I was right with you until this line. Because you want certificates to do something they were not only never designed for but simply and plainly cannot do. You want a certificate to mean that you are going to end up at the "right" destination. And that's not what they're for. All a certificate will do in your browser is to determine whether the server associated with the certificate is also the server that serves you the content you requested. Nothing more, nothing less.

          What a certificate cannot and does no

          • It's a lot harder to set up a thousand scam sites when each cert costs money.

            • So we add credit card fraud to the fold, what does that change exactly?

              • Nothing, but that is one step closer to tax fraud. I hear that police in America (US) , FBI, CIA are no match for IRS.

                • And you think that someone in Generistan cares about either of them?

                  A while ago I was allowed to play with international law enforcement agencies. People who you'd think have the power to get shit done in international crimes. We had a server pinpointed down to the exact place where it was at. We literally knew exactly the physical location of the machine that was used for a rather large international criminal operation. Message from Interpol: By the time we get the local authorities to cooperate, get a war

          • by DarkOx ( 621550 )

            You want a certificate to mean that you are going to end up at the "right" destination.

            No this is exactly what they are designed to do. They make sure that if I ask for www.example.com I really get that - not the site at the DNS reply you spoofed, or the server where you redirected my packets too, etc.

            Its true TLS/SSL certs can't protect us from voluntarily connected to bad actors but:
            1) It is harder to set up a bunch of scam sites when certs cost money. Sure you can buy them with a stolen CC etc but that too is likely to go a long way toward you being caught and shutdown.
            2) Domain valida

            • It makes sure you end up at www.example.com. What it does not do, but what people apparently expect it to do, is to certify that www.example.com belongs to ExampleCo Ltd. Aside of this:

              1) Those sites exist usually for hours or, at best, days anyway. Trojans that rely on these sites will get detected and ... can't tell you how without causing an uproar here, but let's say I know that links in spam mail surprisingly stop working a few hours after they get sent out, too. We are already at the point where they

        • $ curl -I https://goo.gl/asdf43tjix [goo.gl]
          HTTP/1.1 404 Not Found
          That was quick...

      • by houghi ( 78078 )

        I think it has more to do with how browsers handle errors. What should happen if you encounter an error 301 like on https://tinyurl.com/y7zdeygu you should not automagically be forwarded, but be warned where you are send to. Because to me there is not much difference betweem the above and https://www.google.com/maps/d/viewer?mid=1wCZ4UMhH8ksk69v82yo2SX4fBhY&ll=52.373870064019506%2C4.898056999999994&z=16 [google.com]. And if I change google.com with gooogIe.com (No, not just the extra o) or whatever, I still have

        • Having a warning on a 301 redirect would be fine. But I wouldn't want to see it on a 302 redirect. URL shorteners should probably all be using a 301 redirect, though.

          • by houghi ( 78078 )

            Or make a new message "321" and 332. 301 (and other 30X) for the same domain, including subdomains. e.g. http://google.com/ [google.com] to https://www.google.com/ [google.com] 31X for the same TLD (to google.com, but not to www.google.com) and 32X to a different domain (e.g. from google.com/youtune to youtube.com)

            Sure, it can still be abused, but not as open and can easily be verified.

            Implementing this should not be overly hard. But obviously e.g. google does not want that, as it will take people away from what they want. Pushing p

      • Re:Weird (Score:4, Interesting)

        by Danathar ( 267989 ) on Wednesday May 02, 2018 @10:01AM (#56541280) Journal
        I agree but... The whole reason WHY people use link shorteners is BECAUSE some URLs are so long that it IS practically obfuscated.
      • by sl3xd ( 111641 )

        obfuscated URLs that hide their true destination are evil.

        Which pretty much sums up Google AMP as well -- everything comes from google.com...

  • by Mandrel ( 765308 ) on Wednesday May 02, 2018 @03:45AM (#56540248)
    It's amazing the thought and effort that goes into criminal schemes. If there's plenty of legitimate work, the effective hourly rate can't be the only driver. It must also be because finding loopholes is more exciting. A honeypot for the hacker mentality, particularly those who are financially-challenged, aren't troubled by empathy for victims, and actually get off on the danger.
    • Or they live in shithole countries where nobody can have legitimate employment due to the government regulating companies out of business. It can happen here, too.
      • More likely they live in countries where a legitimate job in IT security gets you 20k a year while jumping the fence to the other side of the legality puts you in the vicinity of Silicon Valley salaries while still living in a country where 20k a year means comfortable living.

    • by Hentes ( 2461350 )

      With everything being full of security holes and connected to the internet the only reason why the cyberpocalypse hasn't happened yet is exactly because there's plenty of legitimate work available so not many bother.

    • That said, every time I get a phishing email, my first thought is always, oh, I could do this soooo much better.

  • by Anonymous Coward

    Since it is really really safe, being controlled by Libya.

  • I.e. having browsers say "Hey, this is a forwarding service that tries to send you to www.pwnmymachine.com/thisisascam, do you want to follow the link?"

    It would already be enough to do this for the better known shortening services. Not to mention that it would probably make those services useful again because no sane person right now clicks on a link from a well known forwarding service...

    • by Anonymous Coward on Wednesday May 02, 2018 @05:11AM (#56540376)

      When you click on a link on a Google search engine results page, a script replaces the link the moment you click on it. The actual link that the browser follows is a redirect through another Google URL, so that Google can track what you clicked on. This practice, replacing links on click, used to be seen as a sign of a malware infected web site. Now it's business as usual. In particular, it's used to hide referral codes: The link you see is the "clean" link without a referral code. The code is added only just before the link is followed, in a mousedown event handler. If browsers warned you about redirects, there would be hardly a website (including Google's) that wouldn't cause a warning every time you clicked on a link.

    • by Anonymous Coward

      no sane person right now clicks on a link from a well known forwarding service

      I think you're forgetting that most people don't even understand that there are risks for browsing.
      IMO, being poorly educated about the risks doesn't make them insane.

      They're like kids: It's our job to teach them, and it's also our job to keep them from hurting themselves before they understand.

      • I'm done teaching. It doesn't work. My current approach is fencing them in 'til they show that they know enough to break out of the fence, that's usually when they're smart enough to not need it anymore.

  • Actually, I'm not sure if this approach would work in this case, but the obvious cure for the abuse of regular link shorteners is to redirect the link and lock it down. For example, if the scammer is claiming to redirect for a lottery ticket, the NEW link (that the scammer can no longer touch) would be a website warning potential suckers about the risks of fake lotteries. Of course this approach would work especially well for emailed links, since every spam message already sent would become an irretrievable countermeasure that the scammer can't even cancel.

    Yes, it would still need a reporting mechanism to call the suspicious redirections to someone's attention, but the strong penalty might be sufficient. The last the the scammers want is risk exhausting the supply of suckers.

    • Warnings are OK, but I don't want my email provider or anyone in that chain changing my mail for any reason, even if they're trying to be helpful. I'd prefer they also don't read my mail. Whatever happened to the idea of USPS provided email, anyway?

      • Warnings are OK, but I don't want my email provider or anyone in that chain changing my mail for any reason, even if they're trying to be helpful.

        That's fine if you are technically competent and aware of the possible scam angles. People like my parents are a different matter altogether and a little bit of help from the email provider in their case is actually a pretty good idea. I have my father using gmail in part precisely because they do a good job filtering for spam, scams, and malware. Asking my father to do this would be a disaster waiting to happen. He's smart but the details of email technology isn't his focus in life.

        I'd prefer they also don't read my mail.

        Then encrypt your ma

        • Then encrypt your mail. The physical world equivalent to sending an unencrypted email is a post card. Don't write anything on a post card or an email you wouldn't be comfortable with anyone along the delivery route reading.

          I can't encrypt the mail that my dummy friends and acquantences send to me. The only way that will ever happen is for encrypted mail to be so easy that it's almost more effort not to. The post office is big enough that postal-email a thing, they could deliver certificates by regular mail, and you could absolutely get as much security out of usps encrypted email as you could get out of sending a security envelope via first-class mail, and the "encryption habit" would allow genuine security to also be somethi

          • I can't encrypt the mail that my dummy friends and acquantences send to me.

            That's the reason nobody uses encryption for email. Actually making it secure is (apparently) irreducibly technically difficult. But if you are concerned about sensitive information then your ONLY option is to go figure it out and get other people on board with you. Otherwise it is no different than having a tapped phone line and you should behave accordingly. This is NOT something you can outsource to your email provider and have reasonable certainty that it is actually secure so few people actually bo

    • There is no legitimate case for url shortening in an email.

      Hell, the only legitimate use case it has is on Twitter or other comment platforms with arbitrary limits.

      • by shanen ( 462549 )

        I think you are arguing against HTML email or any of the richer forms? If so, I think that bus has left the station. About 10 years ago.

        Shall we start arguing about inline versus top posting? Or should I try to "redirect" the discussion back to the original topic?

        • If you're email client doesn't tell you the location of the actual link before you click on it, that's your email client's fault.

          Wait maybe that is the solution? Just like links in slashdot show the actual location, why can't shortened links do that.

          No, wait that is still stupid. The url shortener itself is just not needed except when there are arbritrary limits.

  • Some people sure spend a lot of time and effort to fuck other people over. How do you feel about that?
  • Get rid of them all, they serve no legit purpose anymore.

  • by dkman ( 863999 ) on Wednesday May 02, 2018 @09:56AM (#56541254)

    I would like the browser to detect that the link I'm hovering over is a shorted URL (even if it's a "known" list), then instead of showing goo.gl/whatever it would hit the URL to find out where it forwards to and show me that.

    Because I won't click on a shortened URL unless I'm damn sure it's from a trustworthy source.

"To take a significant step forward, you must make a series of finite improvements." -- Donald J. Atwood, General Motors