The “Change Password” button linked to a short URL from the
Tiny.cc link shortener service, a Bitly competitor. But the
hackers cleverly disguised it as a legitimate link by using
Google’s Accelerated Mobile Pages, or AMP. This is a service
hosted by the internet giant that was originally designed to speed
up web pages on mobile, especially for publishers. In practice, it
works by creating a copy of a website’s page on Google’s servers,
but it also acts as an open redirect.
According to Citizen Lab researchers, the hackers used Google
AMP to trick the targets into thinking the email really came
“It’s a percentage game, you may not get every person you phish
but you’ll get a percentage,” John Scott-Railton, a senior
researcher at Citizen Lab, told Motherboard.
So if the victim had quickly hovered over the button to inspect
the link, they would have seen a URL that starts with
google.com/amp, which seems safe, and it’s followed by a Tiny.cc
URL, which the user might not have noticed. (For example:
A huge reason that phishing works is that most people just aren’t technically savvy enough to tell a phony-looking URL from a legitimate one. But a URL that really is coming from the google.com domain — that’s the sort of link that even a web developer might think looks legit, especially at a glance.