Google's AMP technology makes spear-phishing sites look legit

; Date: September 24, 2017

Tags: Google »»»» Social Media Warfare »»»» Spear Phishing

Those pesky Russian Hackers may be using Google's Accelerated Mobile Pages (AMP) to make spear-phishing attack, or fake news, websites look like legitimate sites. According to Salon, Google has known about this problem for over a year and done nothing.

A couple years ago Google created Accelerated Mobile Pages (AMP) to speed up internet browsing on mobile devices. The AMP standard defines a limited set of JavaScript, CSS and HTML technologies that are known to behave well on a low bandwidth memory constrained device like a cell phone. In part AMP is a response to the overly bloated nonsense occuring on most websites with autoplaying video and animated advertising that pops up and annoys people.

Salon claims that Russian spear-phishing attacks targeting journalists critical of Russia lead to pages using AMP techniques, making them look legitimate. What makes it worse is that Google serves AMP pages from google.com domains, hence an AMP spear-phishing page portraying itself as a Google alert will look legitimate because it is on a google.com domain.

Salon's motive for attacking Google's AMP

Before getting too far on this I must point out that Salon has a reason to attack Google over the AMP technology. Salon's own website has been egregious about over-the-top aggressive advertising techniques for years. Google developed AMP as a response to sites like Salon whose advertising forced browsers to a crawl.

Viewed from one angle, the article (link below) makes AMP look extremely bad and dangerous. Repeatedly the article slams AMP, without describing its positive benefits. AMP threatens Salon's business practices, giving Salon a motive to attack AMP.

On the other hand, the excessiveness of Salon's advertising practices is disgusting. Speaking for myself, I used to be a paying subscriber of Salon (back when they had paid subscriptions) and generally like the stories they publish. But, currently, their excessive advertising makes me shy away from reading their articles.

The technical issue reported in Salon's article

The real crux of the article is difficult to follow because of the attack on Google's AMP.

To further speed things up for smartphone users, Google preloads copies of AMP pages listed in search results so they can be instantly loaded if they are subsequently clicked. The only way this background loading of pages can be accomplished is to give the cached pages (google.com) Google.com URLs.

Supposedly these preloaded pages show the originating domain in the address bar. Except that on a mobile browser the address bar shows a google.com domain, and the disclaimer showing the actual domain scrolls off top of the page.

technical-minded critics of AMP have noticed its potential for abuse by junk websites. Since AMP webpages can be accessed via Google addresses, they appear more credible than random domain names or blog hosting sites like WordPress.

Yes, this makes sense. When we receive an email purporting to be a warning from a Google service, it's a good idea to check the domain of any links. But if the domain is for google.com it will look like a legitimate link.

Supposedly one effect of AMP is to make all websites look alike. Hence a fake news website that looks clunky might, on AMP, look like all other news websites, and therefore look more legitimate.

Similarly, a fake security warning leading to an AMP-cached page will look like all other AMP-cached pages, and therefore look more legitimate.

Phishing is:

Fake security alerts designed to look like messages from legitimate companies, inviting targets to visit plausible-looking websites set up solely for the purpose of capturing passwords.

Spear-Phishing is when a customized Phishing message is sent to a specific target.

Summary

Phishing has been with us on the Internet for quite awhile. They catch people unawares and can cause havoc.

Personally I do not click on such links, but instead go directly to the website in question. I have yet to be caught by such a thing. But it is easy to imagine how folk can be caught by faked up emails. The better the forgery the more likely someone can be caught by a malicious website, their credentials stolen, and all kinds of havoc caused.

Source: (www.salon.com) http://www.salon.com/2017/09/24/russian-hackers-exploited-a-google-flaw-and-google-wont-fix-it/

Bug report: (github.com) https://github.com/ampproject/amphtml/issues/6210