Yesterday morning I received a Skype message from a former colleague I hadn’t heard for a long time, but who was happy to be reunited with him.
I say a message, it wasn’t so bad, it was just a connection. Suddenly.
It was clearly a ruse, but it caught my attention because it had nothing to do with a clearly annoying or ridiculous URL. It was a link to Google, and I was wondering how it worked?
I encoded part of the URL, but the important thing is that it looks like this:
I wasn’t interested in where this link would take me (for reference, it refers to a punycoded URL that redirects to a malicious website), but I wanted to see how the Google URL is used to take me there.
It reminded me of a very similar Skype message I had received a few years ago, in which I had taken advantage of the open redirection on Google Maps, and I wondered if there was another one.
Over the years thugs have realized that simple things work for them, and the simplest message of all is nothing more than a malignant connection. Of course, if they only have one connection, they don’t want you to be afraid of it.
And that’s a problem because their estates are often closed. Malicious websites should be blocked and do not have a very long lifespan, so they cannot be moved to reliable locations. Instead, they often hack legitimate websites and use them to publish their content or as intermediaries.
The resulting collection of blogs and compromised dental domains on Mom and Dad’s travel agency websites is ridiculous and little is known.
Crooks need a way to disguise them to make them more reliable.
One solution is to find an open diversion on a legitimate site, a diversion tool that can be misused to divert users from a trusted site to a less trusted site.
However, open redirects are usually errors and sooner or later they are likely to be closed. The Holy Grail is a legitimate website with an open redirect function, which is more a function than an error.
Well, there’s this feature, and it’s on the biggest website of all.
In some browsers, such as Firefox or Safari, Google’s search results do not bring you directly to the sites listed. Instead, Google refers to itself. When you click on a link in the search result, you will be redirected to another Google URL, which will redirect you to your destination. It does this so that you can save the link you clicked. (If you are using Chrome or Chrome based browsers such as Brave, you will not be redirected this way, but the same link to Google will follow you via the rarely seen ping option).
The URL used by Google for the diversion is https://www.google.com/url, which is supposed to be an open diversion. If you add the correct url parameter, you will be redirected to any URL on the network:
And it’s very similar to the phishing URL I got.
If you have placed the link above in your browser, you will have noticed that you did not go directly to example.org. Instead, you were shown a Google web page that said that the page you were on was trying to send you to the wrong URL.
Why doesn’t it appear when you click on Google search results and, more importantly, why doesn’t it appear when I search the Skype chip?
The answer is that the phishing URL contains a second parameter, sa=t, and a third usg, which contains a unique identifier. After some quick research, I couldn’t find anyone who knew how to make usg-ID cards, but fraudsters don’t have to make them. If the website is included in the Google search, it has an usg, which can be easily extracted from the source code of the search results page.
This means that fraudsters can only use Google’s open redirection with a site included in Google’s search index. But this is not an obstacle if you already hack on legal websites.
Google’s search results have been working this way for a very long time, and I can imagine that the tactics I have described here have been applied for almost as long. Then why does Google tolerate them? Well, Google (which, whether you like the company or not, takes security very seriously) does not consider open redirects to be a security issue.
He says that poorly designed bypasses can lead to more severe impairments, and he’s happy to hear that. For example, Google will think I’ve been compromised, but not by the trick the scammer used to get me there.
What should I do?
Even if you’re familiar with how scammers work, there’s always the possibility that you’ll resort to new tactics or (like me) be surprised by old tactics you’ve simply never seen before.
- Do not accept the sender’s name. Whether it’s Skype, email or any other messaging system, fraudsters will try to use names you trust.
- You don’t have to click on the link. If the sender hasn’t explained why you have to click, don’t do it! And once they’ve explained it to you, you don’t have to respond to advice you haven’t asked or expected.
- Check the URL before clicking. If the website they’re sending you to doesn’t look good, stay away. Please note that fraudsters may attempt to use errors or features of legitimate websites to hide URLs.
- Use training and web filtering to avoid malicious websites. Sophos Phish Threat can teach users to better detect fraud, and web filters in products such as XG Firewall or Sophos Home can protect them if they do not.