Google's AMP technology makes spear-phishing sites look legit

By: (plus.google.com) +David Herron; Date: September 24, 2017

Tags: Google » Social Media Warfare » Spear Phishing

Those pesky Russian Hackers may be using Google's Accelerated Mobile Pages (AMP) to make spear-phishing attack, or fake news, websites look like legitimate sites. According to Salon, Google has known about this problem for over a year and done nothing.

A couple years ago Google created Accelerated Mobile Pages (AMP) to speed up internet browsing on mobile devices. The AMP standard defines a limited set of JavaScript, CSS and HTML technologies that are known to behave well on a low bandwidth memory constrained device like a cell phone. In part AMP is a response to the overly bloated nonsense occuring on most websites with autoplaying video and animated advertising that pops up and annoys people.

Salon claims that Russian spear-phishing attacks targeting journalists critical of Russia lead to pages using AMP techniques, making them look legitimate. What makes it worse is that Google serves AMP pages from google.com domains, hence an AMP spear-phishing page portraying itself as a Google alert will look legitimate because it is on a google.com domain.

Salon's motive for attacking Google's AMP

Before getting too far on this I must point out that Salon has a reason to attack Google over the AMP technology. Salon's own website has been egregious about over-the-top aggressive advertising techniques for years. Google developed AMP as a response to sites like Salon whose advertising forced browsers to a crawl.

Viewed from one angle, the article (link below) makes AMP look extremely bad and dangerous. Repeatedly the article slams AMP, without describing its positive benefits. AMP threatens Salon's business practices, giving Salon a motive to attack AMP.

On the other hand, the excessiveness of Salon's advertising practices is disgusting. Speaking for myself, I used to be a paying subscriber of Salon (back when they had paid subscriptions) and generally like the stories they publish. But, currently, their excessive advertising makes me shy away from reading their articles.

The technical issue reported in Salon's article

The real crux of the article is difficult to follow because of the attack on Google's AMP.

To further speed things up for smartphone users, Google preloads copies of AMP pages listed in search results so they can be instantly loaded if they are subsequently clicked. The only way this background loading of pages can be accomplished is to give the cached pages (google.com) Google.com URLs.

Supposedly these preloaded pages show the originating domain in the address bar. Except that on a mobile browser the address bar shows a google.com domain, and the disclaimer showing the actual domain scrolls off top of the page.

technical-minded critics of AMP have noticed its potential for abuse by junk websites. Since AMP webpages can be accessed via Google addresses, they appear more credible than random domain names or blog hosting sites like WordPress.

Yes, this makes sense. When we receive an email purporting to be a warning from a Google service, it's a good idea to check the domain of any links. But if the domain is for google.com it will look like a legitimate link.

Supposedly one effect of AMP is to make all websites look alike. Hence a fake news website that looks clunky might, on AMP, look like all other news websites, and therefore look more legitimate.

Similarly, a fake security warning leading to an AMP-cached page will look like all other AMP-cached pages, and therefore look more legitimate.

Phishing is:

Fake security alerts designed to look like messages from legitimate companies, inviting targets to visit plausible-looking websites set up solely for the purpose of capturing passwords.

Spear-Phishing is when a customized Phishing message is sent to a specific target.

Summary

Phishing has been with us on the Internet for quite awhile. They catch people unawares and can cause havoc.

Personally I do not click on such links, but instead go directly to the website in question. I have yet to be caught by such a thing. But it is easy to imagine how folk can be caught by faked up emails. The better the forgery the more likely someone can be caught by a malicious website, their credentials stolen, and all kinds of havoc caused.

Source: (www.salon.com) http://www.salon.com/2017/09/24/russian-hackers-exploited-a-google-flaw-and-google-wont-fix-it/

Bug report: (github.com) https://github.com/ampproject/amphtml/issues/6210

« Persisting complex Embeddable/Embedded objects in Spring/Hibernate NY Times on Russia's new Theory of War - Information gamed as fake news to disrupt reality »
2016 Election Acer C720 Ad block AkashaCMS Amazon Amazon Kindle Amiga Android Anti-Fascism Apple Apple Hardware History Apple iPhone Apple iPhone Hardware April 1st Arduino ARM Compilation Astronomy Asynchronous Programming Authoritarianism Automated Social Posting Ayo.JS Bells Law Big Brother Big Finish Black Holes Blade Runner Blogger Blogging Books Botnet Botnets Cassette Tapes Cellphones Christopher Eccleston Chrome Chrome Apps Chromebook Chromebooks Chromebox ChromeOS CIA CitiCards Citizen Journalism Civil Liberties Clinton Cluster Computing Command Line Tools Computer Hardware Computer Repair Computers Cross Compilation Crouton Curiosity Rover Cyber Security Cybermen Daleks Darth Vader Data backup Data Storage Database Database Backup Databases David Tenant DDoS Botnet Detect Adblocker Developers Editors Digital Photography DIY DIY Repair DNP3 Docker Doctor Who Doctor Who Paradox Drobo Drupal Drupal Themes DVD E-Books E-Readers Early Computers Election Hacks Electric Bicycles Electric Vehicles Electron Emdebian Energy Efficiency Enterprise Node EPUB ESP8266 Ethical Curation Eurovision Event Driven Asynchronous Express Facebook Fake News Fedora VirtualBox File transfer without iTunes FireFly Fraud Freedom of Speech Gallifrey git Gitlab GMAIL Google Google Chrome Google Gnome Google+ Government Spying Great Britain Heat Loss Hibernate Home Automation HTTPS I2C Protocol Image Analysis Image Conversion Image Processing ImageMagick InfluxDB Infrared Thermometers Insulation Internet Internet Advertising Internet Law Internet of Things Internet Policy Internet Privacy iOS Devices iPad iPhone iPhone hacking Iron Man Iternet of Things iTunes Java JavaScript JavaScript Injection JDBC John Simms Journalism Joyent Kindle Marketplace Lets Encrypt LibreOffice Linux Linux Hints Linux Single Board Computers Logging Mac OS Mac OS X MacOS X setup Make Money Online MariaDB Mars Matt Lucas MEADS Anti-Missile Mercurial Michele Gomez Micro Apartments Military Hardware Minification Minimized CSS Minimized HTML Minimized JavaScript Missy Mobile Applications MODBUS Mondas MongoDB Mongoose Monty Python MQTT Music Player Music Streaming MySQL NanoPi Nardole NASA Net Neutrality Node Web Development Node.js Node.js Database Node.js Testing Node.JS Web Development Node.x North Korea Online advertising Online Fraud Online Journalism Online Video Open Media Vault Open Source Governance Open Source Licenses Open Source Software OpenAPI OpenVPN Personal Flight Peter Capaldi Photography PHP Plex Plex Media Server Political Protest Postal Service Power Control Privacy Production use Public Violence Raspberry Pi Raspberry Pi 3 Raspberry Pi Zero Recycling Remote Desktop Republicans Retro-Technology Reviews Right to Repair River Song Robotics Rocket Ships RSS News Readers rsync Russia Russia Troll Factory SCADA Scheme Science Fiction Season 1 Season 10 Season 11 Security Security Cameras Server-side JavaScript Shell Scripts Silence Simsimi Skype Social Media Warfare Social Networks Software Development Space Flight Space Ship Reuse Space Ships SpaceX Spear Phishing Spring Spring Boot SQLite3 SSD Drives SSD upgrade SSH SSH Key SSL Swagger Synchronizing Files Telescopes Terrorism The Cybermen The Daleks The Master Time-Series Database Torchwood Total Information Awareness Trump Trump Administration Ubuntu UDOO Virtual Private Networks VirtualBox VLC VNC VOIP Web Applications Web Developer Resources Web Development Web Development Tools Web Marketing Website Advertising Weeping Angels WhatsApp Window Insulation Wordpress YouTube