By John Gruber
WorkOS: APIs to ship SSO, SCIM, FGA, and User Management in minutes. Check out their launch week.
Lorenzo Franceschi-Bicchierai, reporting for Motherboard:
The “Change Password” button linked to a short URL from the Tiny.cc link shortener service, a Bitly competitor. But the hackers cleverly disguised it as a legitimate link by using Google’s Accelerated Mobile Pages, or AMP. This is a service hosted by the internet giant that was originally designed to speed up web pages on mobile, especially for publishers. In practice, it works by creating a copy of a website’s page on Google’s servers, but it also acts as an open redirect.
According to Citizen Lab researchers, the hackers used Google AMP to trick the targets into thinking the email really came from Google.
“It’s a percentage game, you may not get every person you phish but you’ll get a percentage,” John Scott-Railton, a senior researcher at Citizen Lab, told Motherboard.
So if the victim had quickly hovered over the button to inspect the link, they would have seen a URL that starts with google.com/amp, which seems safe, and it’s followed by a Tiny.cc URL, which the user might not have noticed. (For example: https://www.google[.]com/amp/tiny.cc/63q6iy)
A huge reason that phishing works is that most people just aren’t technically savvy enough to tell a phony-looking URL from a legitimate one. But a URL that really is coming from the google.com domain — that’s the sort of link that even a web developer might think looks legit, especially at a glance.
★ Monday, 29 May 2017