Is Google AMP to blame for Russian hackers stealing information?
Google is in hot water with the security community after it was revealed that Russian hacking group Fancy Bear has been exploiting a vulnerability in its Accelerated Mobile Pages platform.
An article on Salon reports that Fancy Bear had been making use of Google’s AMP system of mobile pages to fool users into believing it was serving up legitimate pages. It then used these more convincing pages to steal the data of journalists the group had specifically targeted. In other words, Fancy Bear was using Google AMP to stage a good, ol’-fashioned phishing attack.
The piece then points the blame at Google, stating it’s a problem that Google “refused to fix”. However, while Google has made strides in handling phishing attacks through email, the problem doesn’t inherently lie within the AMP platform. Pointing the finger at Google undermines the very efforts it’s making to improve web experiences.
AMP pages cache websites to Google’s servers to speed up their loading time on mobile – a notoriously slow platform due to variable data-transfer speeds. It works by stripping out all the superfluous baggage many websites contain, and replacing adverts with faster, Google-powered ones.
In the process of caching pages, Google has to adjust the URL, prefixing it with Google.com. Some believe this is misleading to users who simply read the URL and believe it to be a trustworthy source – it’s a problem some have already flagged with the platform as they believe it’s a way for fake news sites to spread as if they’re legitimate news outlets.
Fancy Bear exploited this “vulnerability” as part of its phishing campaign, tricking journalists investigating the government-sponsored hacking group, which is allegedly sponsored by the Russian government. But the truth is that Fancy Bear didn’t hack the AMP system, and Google’s platform isn’t broken.
Instead, it looks as if the art of the phishing attack is simply evolving to fit a new medium.
As the Salon report points out, the phishers attempted to garner information from selected journalists via more traditional means. Earlier messages used URL shorteners such as Bit.ly, but over time they relied upon AMP links to make these sketchy pages appear legitimate.
“These emails attempted to lure their targets by taking them to a fake Google login page where they would enter their credentials,” a ThreatConnect spokesperson told Salon. “To do this, the attackers leveraged both Google’s AMP services and link-shortening services to obscure the fact that the page was not a legitimate Google site and to make it look readable if the target was using a mobile phone.”
Just as people have become used to spotting dodgy links in emails, the same will eventually be true with AMP pages. Underneath the Google.com AMP URL, Google lists the original URL, which, in this case, was a shortened link to mask its fake login page. It’s not a sophisticated hack: it’s simply a team of web-savvy hackers creating pages that adhere to Google’s AMP standard.
Earlier this year, The Register wrote about how phishing emails had started using attachments to lure users to fake pages. Instead of using AMP pages to trick users into believing they were accessing legitimate pages, they’d insert images of what appeared to be attachments. However, clicking on them would launch a web page contained within Mail, thus giving it a Google.com URL. Thankfully, two-factor authentication is still a great way to secure yourself against this.
READ NEXT: What is DuckDuckGo?
The Salon article derides Google for keeping its security updates on the AMP platform quiet but, if the company were to reveal how it’s trying to stamp out these dodgy pages, that would enable hackers to work out how to circumvent these measures faster.
Google can’t “fix” the problem because there is no problem that needs fixing. AMP is working exactly as it should be – phishers are just taking advantage of an emerging technology. This doesn’t mean that AMP is perfect – far from it – but it’ll take time to work.
Google is already working to make its initiative the standard, stating on a thread on GitHub that it’s working “with browser vendors to eventually get the origin [URL] right”. When phishing attacks began to become commonplace, people weren’t used to spotting questionable URLs. But now even the least internet-savvy user can spot when something seems awry – it takes time, and tech needs to become standardised. Instead of deriding Google for a “flaw” that doesn’t exist, it’s worth highlighting that the art of phishing attacks are changing.
Google offered up a reply to our article, with Ubi stating “Contrary to the claims in the story, we fixed this issue at the beginning of the year to make google.com/amp URLs safer.
“Now when our systems are uncertain whether a given URL is safe, we will show an interstitial informing the user that they are being redirected to another page that is potentially unsafe to click on. We are leveraging a number of security safeguards including Google’s Safe Browsing technology, which scans the web for potentially dangerous sites and warns users before they navigate to them.”