Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scammers Are Using Google Maps To Skirt Link-Shortener Crackdown, Redirect Users To Dodgy Websites (theregister.co.uk)

Posted by BeauHD on from the alternative-methods dept.

According to security company Sophos, scam websites have been using obfuscated Google Maps links to redirect users to dodgy websites. The Register reports: The reason for this is Google's recent efforts to get rid of its Goo.gl URL-shortening service. The link-shortening site is a favorite for scammers looking to hide the actual address of pages. Without Goo.gl to pick on, scammers are now abusing a loophole in the Maps API that allows for redirects to be put into Google Maps URLs. This allows the attackers to chain the links to their scam pages within a link to Google Maps, essentially creating a more trustworthy URL that users are more likely to follow. The trick also has the benefit of being harder to catch and shut down than links made with the well-policed Goo.gl service. Because it uses Google Maps, there's no reporting structure in place to get the scammers shut down and the scammers don't have to use a Google-owned interface or API to do it.

11 of 85 comments (clear)

  1. Black Hats by Mandrel · · Score: 2

    It's amazing the thought and effort that goes into criminal schemes. If there's plenty of legitimate work, the effective hourly rate can't be the only driver. It must also be because finding loopholes is more exciting. A honeypot for the hacker mentality, particularly those who are financially-challenged, aren't troubled by empathy for victims, and actually get off on the danger.

  2. Re:Weird by Kaenneth · · Score: 4, Informative

    Because it's an abuse of what a URL should be.

    obfuscated URLs that hide their true destination are evil.

  3. Re:Is it me or is there a simple solution to it? by Anonymous Coward · · Score: 5, Informative

    When you click on a link on a Google search engine results page, a script replaces the link the moment you click on it. The actual link that the browser follows is a redirect through another Google URL, so that Google can track what you clicked on. This practice, replacing links on click, used to be seen as a sign of a malware infected web site. Now it's business as usual. In particular, it's used to hide referral codes: The link you see is the "clean" link without a referral code. The code is added only just before the link is followed, in a mousedown event handler. If browsers warned you about redirects, there would be hardly a website (including Google's) that wouldn't cause a warning every time you clicked on a link.

  4. Why can't the google redirect to a death penalty? by shanen · · Score: 2

    Actually, I'm not sure if this approach would work in this case, but the obvious cure for the abuse of regular link shorteners is to redirect the link and lock it down. For example, if the scammer is claiming to redirect for a lottery ticket, the NEW link (that the scammer can no longer touch) would be a website warning potential suckers about the risks of fake lotteries. Of course this approach would work especially well for emailed links, since every spam message already sent would become an irretrievable countermeasure that the scammer can't even cancel.

    Yes, it would still need a reporting mechanism to call the suspicious redirections to someone's attention, but the strong penalty might be sufficient. The last the the scammers want is risk exhausting the supply of suckers.

    --
    Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
  5. Re: Don't be Evil by Bing+Tsher+E · · Score: 2

    Show the URL in the browser.

    Part of the cause of this problem is the trend for browsers to not show the URL as part of the web page being displayed.

    Google causes this with their 'streamlined' design that doesn't show the URL..

  6. Re:Weird by DarkOx · · Score: 2

    Exactly the 'RL' stands for resource locator almost by definition it should not obscure where something is going or where it will come from.

    I know there are some legitimate uses for shorteners; when you need to stuff an URL into a QR code or a SMS message etc. The reality is though its avenue for abuse is greater than its avenue for use.

    We tell users think / look before you click and than give them URLs that are opaque. Not good...

    Thanks to living in a world where LetsDecrypt has basically destroyed any notion of responsible behavior by certificate issuers these shorteners are even more dangerous. You might have noticed that '0' isn't a capital O or that turkish 'i' in a link you hovered over in my phish mail and you never would have typed it without realizing; but there is virtually no chance you'll catch it in the URL bar (which chrome/FF probably won't even show you!) after you have clicked https://goo.gl/asdf43tjix

    --
    Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  7. Re:Why can't the google redirect to a death penalt by zippthorne · · Score: 2

    Warnings are OK, but I don't want my email provider or anyone in that chain changing my mail for any reason, even if they're trying to be helpful. I'd prefer they also don't read my mail. Whatever happened to the idea of USPS provided email, anyway?

    --
    Can you be Even More Awesome?!
  8. Re:Weird by houghi · · Score: 2

    I think it has more to do with how browsers handle errors. What should happen if you encounter an error 301 like on https://tinyurl.com/y7zdeygu you should not automagically be forwarded, but be warned where you are send to. Because to me there is not much difference betweem the above and https://www.google.com/maps/d/viewer?mid=1wCZ4UMhH8ksk69v82yo2SX4fBhY&ll=52.373870064019506%2C4.898056999999994&z=16. And if I change google.com with gooogIe.com (No, not just the extra o) or whatever, I still have no idea if I get to the correct server.

    The 301 error is a tool and as always tools can be used for good and for evil.

    I hope nobody of you got fired for clicking on any of the links.

    --
    Don't fight for your country, if your country does not fight for you.
  9. How short URLs should work by dkman · · Score: 2

    I would like the browser to detect that the link I'm hovering over is a shorted URL (even if it's a "known" list), then instead of showing goo.gl/whatever it would hit the URL to find out where it forwards to and show me that.

    Because I won't click on a shortened URL unless I'm damn sure it's from a trustworthy source.

    --
    I refuse to sign
  10. Re:Weird by Danathar · · Score: 3, Interesting

    I agree but... The whole reason WHY people use link shorteners is BECAUSE some URLs are so long that it IS practically obfuscated.

  11. Re:Weird by Opportunist · · Score: 2, Insightful

    Thanks to living in a world where LetsDecrypt has basically destroyed any notion of responsible behavior by certificate issuers these shorteners are even more dangerous.

    I was right with you until this line. Because you want certificates to do something they were not only never designed for but simply and plainly cannot do. You want a certificate to mean that you are going to end up at the "right" destination. And that's not what they're for. All a certificate will do in your browser is to determine whether the server associated with the certificate is also the server that serves you the content you requested. Nothing more, nothing less.

    What a certificate cannot and does not do is determine whether the server www.mycompany.com belongs to MyCompany.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.