Google's AMP technology makes spear-phishing sites look legit

By: (plus.google.com) +David Herron; Date: September 24, 2017

Tags: Google » Social Media Warfare » Spear Phishing

Those pesky Russian Hackers may be using Google's Accelerated Mobile Pages (AMP) to make spear-phishing attack, or fake news, websites look like legitimate sites. According to Salon, Google has known about this problem for over a year and done nothing.

A couple years ago Google created Accelerated Mobile Pages (AMP) to speed up internet browsing on mobile devices. The AMP standard defines a limited set of JavaScript, CSS and HTML technologies that are known to behave well on a low bandwidth memory constrained device like a cell phone. In part AMP is a response to the overly bloated nonsense occuring on most websites with autoplaying video and animated advertising that pops up and annoys people.

Salon claims that Russian spear-phishing attacks targeting journalists critical of Russia lead to pages using AMP techniques, making them look legitimate. What makes it worse is that Google serves AMP pages from google.com domains, hence an AMP spear-phishing page portraying itself as a Google alert will look legitimate because it is on a google.com domain.

Salon's motive for attacking Google's AMP

Before getting too far on this I must point out that Salon has a reason to attack Google over the AMP technology. Salon's own website has been egregious about over-the-top aggressive advertising techniques for years. Google developed AMP as a response to sites like Salon whose advertising forced browsers to a crawl.

Viewed from one angle, the article (link below) makes AMP look extremely bad and dangerous. Repeatedly the article slams AMP, without describing its positive benefits. AMP threatens Salon's business practices, giving Salon a motive to attack AMP.

On the other hand, the excessiveness of Salon's advertising practices is disgusting. Speaking for myself, I used to be a paying subscriber of Salon (back when they had paid subscriptions) and generally like the stories they publish. But, currently, their excessive advertising makes me shy away from reading their articles.

The technical issue reported in Salon's article

The real crux of the article is difficult to follow because of the attack on Google's AMP.

To further speed things up for smartphone users, Google preloads copies of AMP pages listed in search results so they can be instantly loaded if they are subsequently clicked. The only way this background loading of pages can be accomplished is to give the cached pages (google.com) Google.com URLs.

Supposedly these preloaded pages show the originating domain in the address bar. Except that on a mobile browser the address bar shows a google.com domain, and the disclaimer showing the actual domain scrolls off top of the page.

technical-minded critics of AMP have noticed its potential for abuse by junk websites. Since AMP webpages can be accessed via Google addresses, they appear more credible than random domain names or blog hosting sites like WordPress.

Yes, this makes sense. When we receive an email purporting to be a warning from a Google service, it's a good idea to check the domain of any links. But if the domain is for google.com it will look like a legitimate link.

Supposedly one effect of AMP is to make all websites look alike. Hence a fake news website that looks clunky might, on AMP, look like all other news websites, and therefore look more legitimate.

Similarly, a fake security warning leading to an AMP-cached page will look like all other AMP-cached pages, and therefore look more legitimate.

Phishing is:

Fake security alerts designed to look like messages from legitimate companies, inviting targets to visit plausible-looking websites set up solely for the purpose of capturing passwords.

Spear-Phishing is when a customized Phishing message is sent to a specific target.

Summary

Phishing has been with us on the Internet for quite awhile. They catch people unawares and can cause havoc.

Personally I do not click on such links, but instead go directly to the website in question. I have yet to be caught by such a thing. But it is easy to imagine how folk can be caught by faked up emails. The better the forgery the more likely someone can be caught by a malicious website, their credentials stolen, and all kinds of havoc caused.

Source: (www.salon.com) http://www.salon.com/2017/09/24/russian-hackers-exploited-a-google-flaw-and-google-wont-fix-it/

Bug report: (github.com) https://github.com/ampproject/amphtml/issues/6210

« Persisting complex Embeddable/Embedded objects in Spring/Hibernate NY Times on Russia's new Theory of War - Information gamed as fake news to disrupt reality »
2016 Election Acer C720 Ad block AkashaCMS Amazon Amazon Kindle Amazon Web Services America Amiga Android Anti-Fascism AntiVirus Software Apple Apple Hardware History Apple iPhone Apple iPhone Hardware April 1st Arduino ARM Compilation Artificial Intelligence Astronomy Astrophotography Asynchronous Programming Authoritarianism Automated Social Posting AWS DynamoDB AWS Lambda Ayo.JS Bells Law Big Brother Big Finish Bitcoin Mining Black Holes Blade Runner Blockchain Blogger Blogging Books Botnet Botnets Cassette Tapes Cellphones China China Manufacturing Christopher Eccleston Chrome Chrome Apps Chromebook Chromebox ChromeOS CIA CitiCards Citizen Journalism Civil Liberties Clinton Cluster Computing Command Line Tools Comment Systems Computer Accessories Computer Hardware Computer Repair Computers Cross Compilation Crouton Cryptocurrency Curiosity Rover Currencies Cyber Security Cybermen Daleks Darth Vader Data backup Data Storage Database Database Backup Databases David Tenant DDoS Botnet Detect Adblocker Developers Editors Digital Photography Diskless Booting Disqus DIY DIY Repair DNP3 Do it yourself Docker Docker MAMP Docker Swarm Doctor Who Doctor Who Paradox Doctor Who Review Drobo Drupal Drupal Themes DVD E-Books E-Readers Early Computers Election Hacks Electric Bicycles Electric Vehicles Electron Emdebian Encabulators Energy Efficiency Enterprise Node EPUB ESP8266 Ethical Curation Eurovision Event Driven Asynchronous Express Face Recognition Facebook Fake News Fedora VirtualBox File transfer without iTunes FireFly Flickr Fraud Freedom of Speech Gallifrey git Github GitKraken Gitlab GMAIL Google Google Chrome Google Gnome Google+ Government Spying Great Britain Heat Loss Hibernate Hoax Science Home Automation HTTP Security HTTPS Human ID I2C Protocol Image Analysis Image Conversion Image Processing ImageMagick In-memory Computing InfluxDB Infrared Thermometers Insulation Internet Internet Advertising Internet Law Internet of Things Internet Policy Internet Privacy iOS Devices iPad iPhone iPhone hacking Iron Man iTunes Java JavaScript JavaScript Injection JDBC John Simms Journalism Joyent Kaspersky Labs Kindle Kindle Marketplace Lets Encrypt LibreOffice Linux Linux Hints Linux Single Board Computers Logging Mac Mini Mac OS Mac OS X Machine Learning Machine Readable ID macOS MacOS X setup Make Money Online March For Our Lives MariaDB Mars Mass Violence Matt Lucas MEADS Anti-Missile Mercurial MERN Stack Michele Gomez Micro Apartments Microsoft Military AI Military Hardware Minification Minimized CSS Minimized HTML Minimized JavaScript Missy Mobile Applications Mobile Computers MODBUS Mondas Monetary System MongoDB Mongoose Monty Python MQTT Music Player Music Streaming MySQL NanoPi Nardole NASA Net Neutrality Node Web Development Node.js Node.js Database Node.js Testing Node.JS Web Development Node.x North Korea npm NVIDIA NY Times Online advertising Online Community Online Fraud Online Journalism Online Photography Online Video Open Media Vault Open Source Open Source Governance Open Source Licenses Open Source Software OpenAPI OpenVPN Palmtop PDA Paywalls Personal Flight Peter Capaldi Photography PHP Plex Plex Media Server Political Protest Postal Service Power Control Privacy Production use Public Violence Raspberry Pi Raspberry Pi 3 Raspberry Pi Zero ReactJS Recaptcha Recycling Refurbished Computers Remote Desktop Removable Storage Republicans Retro Computing Retro-Technology Reviews RFID Right to Repair River Song Robotics Rocket Ships RSS News Readers rsync Russia Russia Troll Factory Russian Hacking Rust SCADA Scheme Science Fiction SD Cards Search Engine Ranking Season 1 Season 10 Season 11 Security Security Cameras Server-side JavaScript Serverless Framework Servers Shell Scripts Silence Simsimi Skype SmugMug Social Media Social Media Warfare Social Networks Software Development Space Flight Space Ship Reuse Space Ships SpaceX Spear Phishing Spring Spring Boot Spy Satellites SQLite3 SSD Drives SSD upgrade SSH SSH Key SSL Stand For Truth Strange Parts Swagger Synchronizing Files Telescopes Terrorism The Cybermen The Daleks The Master Time-Series Database Torchwood Total Information Awareness Trump Trump Administration Trump Campaign Ubuntu Udemy UDOO US Department of Defense Virtual Private Networks VirtualBox VLC VNC VOIP Vue.js Web Applications Web Developer Resources Web Development Web Development Tools Web Marketing Website Advertising Weeping Angels WhatsApp William Hartnell Window Insulation Windows Windows Alternatives Wordpress World Wide Web Yahoo YouTube YouTube Monetization