Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More

Trustwave's 2024 Retail Report Series Highlights Alarming E-Commerce Threats and Growing Fraud Against Retailers. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Beyond the Facade: Unraveling URL Redirection in Google Services

In the murky waters of cyber threats, one tactic has steadily gained wide adoption: URL redirection in phishing attacks. This stealthy technique allows cybercriminals to cloak malicious links, making them appear harmless to unsuspecting users. Among the vast expanse of online services, various Google Services stand out as frequent targets for exploitation. Cybercriminals find it opportune ground to hide their nefarious intents behind seemingly innocuous links.

In the third quarter of 2023, a notable surge in phishing attacks surfaced that leveraged Google AMP (Accelerated Mobile Pages) and Google Apps Scripts to facilitate the attack. Google AMP is a developer framework offered by Google specifically for crafting quick-loading web pages for mobile devices. On the other hand, Google Apps Scripts is a scripting language for extending the functionality of various Google Workspace Apps like Google Sheets, Google Docs, and Google Drive. The attackers ingeniously use the developer URLs associated with these services as redirectors, creating a veil for their phishing websites.

In this first sample, the phishing email disguises itself as a Microsoft SharePoint notification about a shared file, which can be accessed through the link provided. Based on keywords used in the title of this supposed shared file, it appears that it contains information about a financial transaction that would benefit the victim/recipient.

 

Picture1

Figure 1: Phishing email disguising as a SharePoint notification.

 

Picture1-1

Figure 2: URL extracted from Figure 1 which leverage Google AMP as a redirector.

 

The visible link (Figure 2) in the email sample (Figure 1) redirects to another cloud storage service (Figure 3) owned by Swarm Foundation for the use of Ethereum, a form of cryptocurrency.

 

Picture2-1

Figure 3: URL redirection of Figure 2 which leverage the storage service of Swarm Foundation.

 

This second sample, similar to the first, is where the emulated template notifies its user of a financial transaction, that of a failed payment.

 

Picture2

Figure 4: Phishing email disguising as a Zoominfo notification.

 

Picture4-1

Figure 5: URL extracted from Figure 4 which leverage Google AMP as a redirector.

 

The visible URL (Figure 5) redirects to another web service called Azure Front Door, a Content Delivery Network (CDN) from Microsoft that offers fast and reliable access to web content.

 

Picture6-1

Figure 6: URL redirection of Figure 5 which leverage Microsoft's Azure Front Door service.

 

In the third sample, we can see an email sample disguised as a system upgrade notification instructing its victim to update their account by signing in through the link provided. This time, the threat actor leveraged another service called Google Apps Scripts. Google had already taken down the malicious macro code by the time we got our hands on the sample; however, while the URL is clearly out of place in notifications like this and is sure to raise red flags, it can still pass as legitimate to an untrained eye.

 

Picture3

Figure 7: Phishing email disguised as a system update notification.

 

Picture8

Figure 8: URL extracted from Figure 7 which leverage Google Apps Scripts.

 

Though we couldn't inspect the landing pages in the provided samples due to the URLs being taken down, the added complexity resulting from the involvement of genuine services in the redirection chain demands our attention. Google, among various other legitimate online services, is exploited by threat actors to sidestep email filters. The use of authentic domains not only provides a false sense of security but also lures unsuspecting victims into clicking on links, making this approach increasingly favored in phishing attacks.

It becomes crucial to heighten awareness by anticipating a surge in such tactics over time. Staying informed is key to protecting oneself against these evolving threats. Remain watchful and informed to better shield against these deceptive maneuvers.

About the Author

Mike Casayuran is a Threat Researcher at Trustwave with over 13 years of experience in email security. He is currently part of the SpiderLabs Email Team, where he is responsible for building machine-learning models to protect customers from URL-borne threats. Follow Mike on LinkedIn.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo