Slashdot Mirror
Scammers Are Using Google Maps To Skirt Link-Shortener Crackdown, Redirect Users To Dodgy Websites (theregister.co.uk)
According to security company Sophos, scam websites have been using obfuscated Google Maps links to redirect users to dodgy websites. The Register reports: The reason for this is Google's recent efforts to get rid of its Goo.gl URL-shortening service. The link-shortening site is a favorite for scammers looking to hide the actual address of pages. Without Goo.gl to pick on, scammers are now abusing a loophole in the Maps API that allows for redirects to be put into Google Maps URLs. This allows the attackers to chain the links to their scam pages within a link to Google Maps, essentially creating a more trustworthy URL that users are more likely to follow. The trick also has the benefit of being harder to catch and shut down than links made with the well-policed Goo.gl service. Because it uses Google Maps, there's no reporting structure in place to get the scammers shut down and the scammers don't have to use a Google-owned interface or API to do it.
The recent articles and corresponding actions of the big internet companies seem to push against basic redirect services. I am having a hard time understanding why. Makes me uncomfortable, but I can't explain why. Please enlighten me?
It's amazing the thought and effort that goes into criminal schemes. If there's plenty of legitimate work, the effective hourly rate can't be the only driver. It must also be because finding loopholes is more exciting. A honeypot for the hacker mentality, particularly those who are financially-challenged, aren't troubled by empathy for victims, and actually get off on the danger.
Since it is really really safe, being controlled by Libya.
That is definitely clever. Evil but clever.
I.e. having browsers say "Hey, this is a forwarding service that tries to send you to www.pwnmymachine.com/thisisascam, do you want to follow the link?"
It would already be enough to do this for the better known shortening services. Not to mention that it would probably make those services useful again because no sane person right now clicks on a link from a well known forwarding service...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Actually, I'm not sure if this approach would work in this case, but the obvious cure for the abuse of regular link shorteners is to redirect the link and lock it down. For example, if the scammer is claiming to redirect for a lottery ticket, the NEW link (that the scammer can no longer touch) would be a website warning potential suckers about the risks of fake lotteries. Of course this approach would work especially well for emailed links, since every spam message already sent would become an irretrievable countermeasure that the scammer can't even cancel.
Yes, it would still need a reporting mechanism to call the suspicious redirections to someone's attention, but the strong penalty might be sufficient. The last the the scammers want is risk exhausting the supply of suckers.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
Its a constant cat and mouse game isn't it ? Close up one opportunity and they find another.
This gentleman presents no proof other than an anicdote that he received a malformed link in skype.
That is not really solid ground to say organized criminals are utilizing the service. In fact it is a hell of a stretch to make that assumption. With no actually scammers caught, no evidence of scammers utilizing the service and no victims of people who have been taken advantage of via redirect...well honestly did it even happen or is the author just trying to drive traffic to his employer and pay for his morning bowl of fruit loops.
Is IRC still a thing? https://xkcd.com/1782/
Current URLs result from trying to make the browser into an OS...with apps, instead of the page reader it was originally.
Some people sure spend a lot of time and effort to fuck other people over. How do you feel about that?
I trust it more than I trust Skype and Discord.
Show the URL in the browser.
Part of the cause of this problem is the trend for browsers to not show the URL as part of the web page being displayed.
Google causes this with their 'streamlined' design that doesn't show the URL..
Warnings are OK, but I don't want my email provider or anyone in that chain changing my mail for any reason, even if they're trying to be helpful. I'd prefer they also don't read my mail. Whatever happened to the idea of USPS provided email, anyway?
Can you be Even More Awesome?!
scammers are now abusing a loophole in the Maps API
scammers don't have to use a Google-owned interface or API to do it.
So which one is it?
Warnings are OK, but I don't want my email provider or anyone in that chain changing my mail for any reason, even if they're trying to be helpful.
That's fine if you are technically competent and aware of the possible scam angles. People like my parents are a different matter altogether and a little bit of help from the email provider in their case is actually a pretty good idea. I have my father using gmail in part precisely because they do a good job filtering for spam, scams, and malware. Asking my father to do this would be a disaster waiting to happen. He's smart but the details of email technology isn't his focus in life.
I'd prefer they also don't read my mail.
Then encrypt your mail. The physical world equivalent to sending an unencrypted email is a post card. Don't write anything on a post card or an email you wouldn't be comfortable with anyone along the delivery route reading.
Whatever happened to the idea of USPS provided email, anyway?
Several problems. 1) Who is going to pay for it? What is the business proposition to USPS? 2) We already have email through countless other sources. 3) USPS has no demonstrated competence in this sort of product.
It's amazing the thought and effort that goes into criminal schemes.
That's why we admire Pirate-bay and P2P so much. Just look at all the wonderful effort that goes into not paying for things.
I wanted the title to be "Scammers Are Using Google Maps To Link To Dodgy Skirt Shortener Websites"
Skirt Shortener? Perhaps that is an AR application.
Get rid of them all, they serve no legit purpose anymore.
#DeleteFacebook
I would like the browser to detect that the link I'm hovering over is a shorted URL (even if it's a "known" list), then instead of showing goo.gl/whatever it would hit the URL to find out where it forwards to and show me that.
Because I won't click on a shortened URL unless I'm damn sure it's from a trustworthy source.
I refuse to sign
This will be used for advanced goatseing techniques.
That man's hole is big enough that maybe it does need its own map.
Have you bought the Goat C shirt? A family friendly design and the kids probably know what it means anyway.
- FatCashewsLoveMe
Yes, IRC is still a thing. Care to inform me what other tool you know that delivers its functionality AND is under your control?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Yup. All other ethnicities are fine. European, Chinese, Mongolian, Taiwan, and all other Asians. Indian, South American, Eskimo ...
Thenblacks, all alone, are the most violent, primitive, and terrible.
But I know why. It is their hair. It makes them crazy. No other ethnic group has that sheep type hair. All black girls wear wigs. And when they take the wig off, being accustomed to nice fake hair, it is ugly.
Some say it is a curse. So why is it blacks have this type hair? No other group on the planet has it.
Interesting.
Well, fisty the 2-liter bottle hand puppet may agree. The puppet is wearing diving gear.
Not only does this require (slow) manual review to determine that a redirect deserves the death penalty, but this assumes that an attacker doesn't know how to configure a web server to return different content to different people.
Suppose I make a completely innocuous web page, and redirect to that. Allow as much manual review as you like.
Then, a month later, I change it to serve malware and then send the phishing messages.
And if I have half a clue and am not limited to static HTML, configure the server to only serve the malware to IPs from the organization I'm attacking.
How the hell is any review process supposed to catch that?
There is no legitimate case for url shortening in an email.
Hell, the only legitimate use case it has is on Twitter or other comment platforms with arbitrary limits.
I'm a good cook. I'm a fantastic eater. - Steven Brust
OFFICE MAIL DELIVERY
You have 17 clustered/undelivered emails pending for delivery to your email box since 09/04/2018, we are awaiting your approval to restore these messages to your inbox.
Follow the action below to retrieve all undelivered mail:
*Release Pending messages to inbox
*Proceed to Mail Server Cleaning with Microsoft Cloud server
Please note that this may cause mailbox malfunctions and undelivered email will be deleted from the cloud server.
Remember: Make sure you update all of your devices (phones, tablets, and PCs)!
Sincerely,
The Azure Active Directory Team
There is no legitimate case for url shortening in an email.
My old isp email server would limit outgoing messages to 10 MB.
I think you are arguing against HTML email or any of the richer forms? If so, I think that bus has left the station. About 10 years ago.
Shall we start arguing about inline versus top posting? Or should I try to "redirect" the discussion back to the original topic?
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
I can't encrypt the mail that my dummy friends and acquantences send to me.
That's the reason nobody uses encryption for email. Actually making it secure is (apparently) irreducibly technically difficult. But if you are concerned about sensitive information then your ONLY option is to go figure it out and get other people on board with you. Otherwise it is no different than having a tapped phone line and you should behave accordingly. This is NOT something you can outsource to your email provider and have reasonable certainty that it is actually secure so few people actually bother. I've spent a fair bit of time researching this very topic and there appears to be no way to have encrypted emails without the parties on both ends being highly technically competent and willing to put in significant extra effort to set up and manage a secure system. Just not worth it most of the time.
1a) Users would have to, via subscription fees. Similar to having a PO box.
And why would anyone do this when they can get gmail for "free"? Again there is no business proposition here for USPS unless the government raises taxes to cover it. It's not obvious what USPS could offer me that I don't already have.
1b) The laws that apply to first class mail would have to apply to email as well, and the post office could manage a certificate store for a somewhat better than post-card level of security that develops the habit of using encryption.
Just because the laws apply doesn't mean it is actually secure. You seriously think the NSA wouldn't hack this system in a heartbeat? Sorry but I don't trust the government to keep me secure against the government. A certificate is just a piece of a long chain in securing email. Secure email is a LOT more complicated than just being a certificate authority, even with legal teeth. And there is zero chance of a government entity (which USPS is) offering email that is secure against government snooping. I trust the government to do some things competently but I don't trust them at all in this capacity.
And again you have the problem of how you plan to fund this? Show me a business plan that is feasible.
sure, but no one has the force of law they way USPS does. Intercepting usps email and fraudulent email via that service would be federal offences.
You don't need USPS to do that. You'd have to change the law anyway and you could just as easily make interfering with email delivery a federal offense in general. If you want to have USPS chase down bad guys for email related law breaking you had better have a way to fund the legion of extra postal inspectors you'd need to do it. Again, there is the money problem. Almost nobody is going to pay USPS for a service they can get for "free". Few people will care about the fact that USPS has some postal inspectors and fewer still will be willing to pay more for them.
I'm not opposed to USPS offering email services and I get why it makes a certain amount of sense. But unless congress gets behind it in a big way (which will not happen) it makes no economic sense and so it is dead before it ever starts. USPS just isn't in a position to solve any real world problem for me or most other people.
If you're email client doesn't tell you the location of the actual link before you click on it, that's your email client's fault.
Wait maybe that is the solution? Just like links in slashdot show the actual location, why can't shortened links do that.
No, wait that is still stupid. The url shortener itself is just not needed except when there are arbritrary limits.
I'm a good cook. I'm a fantastic eater. - Steven Brust