Scammers Are Using Google Maps To Skirt Link-Shortener Crackdown, Redirect Users To Dodgy Websites (theregister.co.uk) 85
According to security company Sophos, scam websites have been using obfuscated Google Maps links to redirect users to dodgy websites. The Register reports: The reason for this is Google's recent efforts to get rid of its Goo.gl URL-shortening service. The link-shortening site is a favorite for scammers looking to hide the actual address of pages. Without Goo.gl to pick on, scammers are now abusing a loophole in the Maps API that allows for redirects to be put into Google Maps URLs. This allows the attackers to chain the links to their scam pages within a link to Google Maps, essentially creating a more trustworthy URL that users are more likely to follow. The trick also has the benefit of being harder to catch and shut down than links made with the well-policed Goo.gl service. Because it uses Google Maps, there's no reporting structure in place to get the scammers shut down and the scammers don't have to use a Google-owned interface or API to do it.
Re: Don't be Evil (Score:2)
Show the URL in the browser.
Part of the cause of this problem is the trend for browsers to not show the URL as part of the web page being displayed.
Google causes this with their 'streamlined' design that doesn't show the URL..
Weird (Score:2)
Re:Weird (Score:5, Informative)
Because it's an abuse of what a URL should be.
obfuscated URLs that hide their true destination are evil.
Weird-Form follows friction. (Score:1)
Current URLs result from trying to make the browser into an OS...with apps, instead of the page reader it was originally.
Re: (Score:3)
Exactly the 'RL' stands for resource locator almost by definition it should not obscure where something is going or where it will come from.
I know there are some legitimate uses for shorteners; when you need to stuff an URL into a QR code or a SMS message etc. The reality is though its avenue for abuse is greater than its avenue for use.
We tell users think / look before you click and than give them URLs that are opaque. Not good...
Thanks to living in a world where LetsDecrypt has basically destroyed any n
Re: (Score:3, Insightful)
Thanks to living in a world where LetsDecrypt has basically destroyed any notion of responsible behavior by certificate issuers these shorteners are even more dangerous.
I was right with you until this line. Because you want certificates to do something they were not only never designed for but simply and plainly cannot do. You want a certificate to mean that you are going to end up at the "right" destination. And that's not what they're for. All a certificate will do in your browser is to determine whether the server associated with the certificate is also the server that serves you the content you requested. Nothing more, nothing less.
What a certificate cannot and does no
Re: Weird (Score:2)
It's a lot harder to set up a thousand scam sites when each cert costs money.
Re: (Score:2)
So we add credit card fraud to the fold, what does that change exactly?
Re: (Score:2)
Nothing, but that is one step closer to tax fraud. I hear that police in America (US) , FBI, CIA are no match for IRS.
Re: (Score:2)
And you think that someone in Generistan cares about either of them?
A while ago I was allowed to play with international law enforcement agencies. People who you'd think have the power to get shit done in international crimes. We had a server pinpointed down to the exact place where it was at. We literally knew exactly the physical location of the machine that was used for a rather large international criminal operation. Message from Interpol: By the time we get the local authorities to cooperate, get a war
Re: (Score:2)
You want a certificate to mean that you are going to end up at the "right" destination.
No this is exactly what they are designed to do. They make sure that if I ask for www.example.com I really get that - not the site at the DNS reply you spoofed, or the server where you redirected my packets too, etc.
Its true TLS/SSL certs can't protect us from voluntarily connected to bad actors but:
1) It is harder to set up a bunch of scam sites when certs cost money. Sure you can buy them with a stolen CC etc but that too is likely to go a long way toward you being caught and shutdown.
2) Domain valida
Re: (Score:2)
It makes sure you end up at www.example.com. What it does not do, but what people apparently expect it to do, is to certify that www.example.com belongs to ExampleCo Ltd. Aside of this:
1) Those sites exist usually for hours or, at best, days anyway. Trojans that rely on these sites will get detected and ... can't tell you how without causing an uproar here, but let's say I know that links in spam mail surprisingly stop working a few hours after they get sent out, too. We are already at the point where they
Re: (Score:2)
$ curl -I https://goo.gl/asdf43tjix [goo.gl]
HTTP/1.1 404 Not Found
That was quick...
Re: (Score:3)
Re: (Score:2)
Having a warning on a 301 redirect would be fine. But I wouldn't want to see it on a 302 redirect. URL shorteners should probably all be using a 301 redirect, though.
Re: (Score:2)
Re:Weird (Score:4, Interesting)
Re: (Score:2)
obfuscated URLs that hide their true destination are evil.
Which pretty much sums up Google AMP as well -- everything comes from google.com...
Re: (Score:1)
The point of a url is to have a human readable destination.
No, it's not. This page you're reading right now wants to load from "d3tglifpd8whs6.cloudfront.net". And don't give me that "misleading" spiel. This same page also loads from "truste.com", a site that supposedly helps web authors with their "privacy programs" and does so by reporting every page you view on the site to TrustArc.
Black Hats (Score:3)
Re: Black Hats (Score:1)
Re: (Score:2)
More likely they live in countries where a legitimate job in IT security gets you 20k a year while jumping the fence to the other side of the legality puts you in the vicinity of Silicon Valley salaries while still living in a country where 20k a year means comfortable living.
Re: (Score:2)
With everything being full of security holes and connected to the internet the only reason why the cyberpocalypse hasn't happened yet is exactly because there's plenty of legitimate work available so not many bother.
Re: (Score:2)
That said, every time I get a phishing email, my first thought is always, oh, I could do this soooo much better.
Which is why we only use bit.ly (Score:1)
Since it is really really safe, being controlled by Libya.
Re: (Score:2)
Re: (Score:2)
Yes, IRC is still a thing. Care to inform me what other tool you know that delivers its functionality AND is under your control?
Is it me or is there a simple solution to it? (Score:2)
I.e. having browsers say "Hey, this is a forwarding service that tries to send you to www.pwnmymachine.com/thisisascam, do you want to follow the link?"
It would already be enough to do this for the better known shortening services. Not to mention that it would probably make those services useful again because no sane person right now clicks on a link from a well known forwarding service...
Re:Is it me or is there a simple solution to it? (Score:5, Informative)
When you click on a link on a Google search engine results page, a script replaces the link the moment you click on it. The actual link that the browser follows is a redirect through another Google URL, so that Google can track what you clicked on. This practice, replacing links on click, used to be seen as a sign of a malware infected web site. Now it's business as usual. In particular, it's used to hide referral codes: The link you see is the "clean" link without a referral code. The code is added only just before the link is followed, in a mousedown event handler. If browsers warned you about redirects, there would be hardly a website (including Google's) that wouldn't cause a warning every time you clicked on a link.
Re: (Score:2)
I fail to see the problem. If anything, in this time and age I'd see it as a feature to raise awareness for this problem.
Re: (Score:2)
Well, it would give you a distinguishing feature for your browser.
Re: (Score:1)
no sane person right now clicks on a link from a well known forwarding service
I think you're forgetting that most people don't even understand that there are risks for browsing.
IMO, being poorly educated about the risks doesn't make them insane.
They're like kids: It's our job to teach them, and it's also our job to keep them from hurting themselves before they understand.
Re: (Score:2)
I'm done teaching. It doesn't work. My current approach is fencing them in 'til they show that they know enough to break out of the fence, that's usually when they're smart enough to not need it anymore.
Why can't the google redirect to a death penalty? (Score:3)
Actually, I'm not sure if this approach would work in this case, but the obvious cure for the abuse of regular link shorteners is to redirect the link and lock it down. For example, if the scammer is claiming to redirect for a lottery ticket, the NEW link (that the scammer can no longer touch) would be a website warning potential suckers about the risks of fake lotteries. Of course this approach would work especially well for emailed links, since every spam message already sent would become an irretrievable countermeasure that the scammer can't even cancel.
Yes, it would still need a reporting mechanism to call the suspicious redirections to someone's attention, but the strong penalty might be sufficient. The last the the scammers want is risk exhausting the supply of suckers.
Re: (Score:3)
Warnings are OK, but I don't want my email provider or anyone in that chain changing my mail for any reason, even if they're trying to be helpful. I'd prefer they also don't read my mail. Whatever happened to the idea of USPS provided email, anyway?
Email = postcards (Score:2)
Warnings are OK, but I don't want my email provider or anyone in that chain changing my mail for any reason, even if they're trying to be helpful.
That's fine if you are technically competent and aware of the possible scam angles. People like my parents are a different matter altogether and a little bit of help from the email provider in their case is actually a pretty good idea. I have my father using gmail in part precisely because they do a good job filtering for spam, scams, and malware. Asking my father to do this would be a disaster waiting to happen. He's smart but the details of email technology isn't his focus in life.
I'd prefer they also don't read my mail.
Then encrypt your ma
Re: (Score:2)
Then encrypt your mail. The physical world equivalent to sending an unencrypted email is a post card. Don't write anything on a post card or an email you wouldn't be comfortable with anyone along the delivery route reading.
I can't encrypt the mail that my dummy friends and acquantences send to me. The only way that will ever happen is for encrypted mail to be so easy that it's almost more effort not to. The post office is big enough that postal-email a thing, they could deliver certificates by regular mail, and you could absolutely get as much security out of usps encrypted email as you could get out of sending a security envelope via first-class mail, and the "encryption habit" would allow genuine security to also be somethi
It's an economic problem (mostly) (Score:2)
I can't encrypt the mail that my dummy friends and acquantences send to me.
That's the reason nobody uses encryption for email. Actually making it secure is (apparently) irreducibly technically difficult. But if you are concerned about sensitive information then your ONLY option is to go figure it out and get other people on board with you. Otherwise it is no different than having a tapped phone line and you should behave accordingly. This is NOT something you can outsource to your email provider and have reasonable certainty that it is actually secure so few people actually bo
Re: Why can't the google redirect to a death penal (Score:2)
There is no legitimate case for url shortening in an email.
Hell, the only legitimate use case it has is on Twitter or other comment platforms with arbitrary limits.
Re: (Score:2)
I think you are arguing against HTML email or any of the richer forms? If so, I think that bus has left the station. About 10 years ago.
Shall we start arguing about inline versus top posting? Or should I try to "redirect" the discussion back to the original topic?
Re: (Score:2)
If you're email client doesn't tell you the location of the actual link before you click on it, that's your email client's fault.
Wait maybe that is the solution? Just like links in slashdot show the actual location, why can't shortened links do that.
No, wait that is still stupid. The url shortener itself is just not needed except when there are arbritrary limits.
How do you feel about that? (Score:2)
URL shortening services (Score:2)
Get rid of them all, they serve no legit purpose anymore.
How short URLs should work (Score:3)
I would like the browser to detect that the link I'm hovering over is a shorted URL (even if it's a "known" list), then instead of showing goo.gl/whatever it would hit the URL to find out where it forwards to and show me that.
Because I won't click on a shortened URL unless I'm damn sure it's from a trustworthy source.