A Comprehensive Guide: Unmasking and Analyzing Phishing Attempts via Google AMP — A Case Study
Part I: Understanding Google AMP
Google AMP is a website publishing technology developed by Google as a user-first format for web content. It aims to enhance the performance of web content and advertisements, providing a seamless, engaging user experience. Designed to combat slow, cumbersome mobile web browsing, AMP facilitates instant page loading on mobile devices. It achieves this by creating a lightweight version of a standard HTML page, limiting CSS and JavaScript, using an off-the-main-thread execution model, and prioritizing resource loading. Also, Google caches AMP pages on their servers, ensuring speedy page loading from Google search results.
However, the unique URL structure of Google AMP, typically starting with https://www.google.com/amp/ can be exploited, especially in phishing attacks.
Part II: Google AMP and Phishing Attacks
Phishers have found a way to take advantage of Google’s AMP service by creating web pages that comply with the AMP standards. When these pages are accessed, Google caches them on their servers. As a result, the URL of the page starts with https://www.google.com/amp/ which gives it an appearance of authenticity because it is associated with Google. This technique is deceptive because users may mistake these pages for genuine sites due to their association with Google. When users visit these AMP pages, they may be prompted to enter sensitive information such as login credentials, credit card details, or personal information. However, the information entered on these malicious AMP pages is collected by the phishers, enabling them to carry out identity theft, fraud, or other malicious activities.
Part III: The Anatomy of a Google AMP Phishing Attack — A Case Study
Let’s delve into a real-life scenario for better understanding. This case study, based on personal experience, demonstrates how phishing attackers can misuse Google AMP.
Step 1: The Phishing Email
The attack starts with a seemingly benign email. However, upon closer examination, a few suspicious elements become evident. Firstly, the sender’s email address may not match the service they claim to represent. Secondly, the email might employ a sense of urgency to push the recipient into clicking a provided link as shown in Fig 1.
Step 2: The Misleading URLs
Fig 2 showcases a detailed breakdown of the URL structure used in this phishing attack. We can see that it begins with https://www.google.co.uk/amp/, this is the prefix used by Google AMP intended to speed up the loading of mobile web pages. After the AMP, we see the URL of the attacker’s website. This is the actual destination that the victim is directed to when they click on the URL.
Fig 3 exhibits the request sent to the attacker’s website and the subsequent response. The response from the attacker’s website gives us more information about the server where the phishing website is hosted, like the server type and the technologies used to create the site.
Step 3: The Phishing Page
When we click on the URL, we will be taken to a webpage that looks exactly like the original site as shown in Fig 4. Surprisingly, the attacker’s website is shielded by Cloudflare that keeps it hidden from bots, scanners, and other security measures. This demonstrates the attacker’s adeptness in creating a highly elusive online presence.
It’s important to pay attention to the URL displayed above on the landing page, which raises the red flag. There are also some differences in the language used on the page. The design and layout closely mimic the authentic site, making it difficult to distinguish between the two at first glance. However, upon closer inspection, we can spot variations in the wording or language used on the page. Despite the page appearing to be a perfect replica, these language discrepancies can act as warning signs.
Step 4: Probing the Site — False Credentials and Attempted Password Reset
The deceptive page specifically asks users to input their password, while their username is already pre-filled as shown in Fig 5. This indicates a high level of targeting by the attackers. To further enhance the illusion of legitimacy, the page incorporates a genuine authentication system that performs a validation check of the entered password against Outlook accounts. This additional layer of verification adds credibility to the deceptive page, making it appear even more convincing to unsuspecting users.
Curiously, there was no response from the page to the password reset request, which deviates from standard protocol on legitimate sites.
Step 5: Retreating to the Main Page
Upon deciding to go back, the site directed to the main Microsoft login page. Here, it’s crucial to note that although the page looked genuine, the fake URL persisted as shown in Fig 7.
Step 6: Non-responsive Account Creation Attempt
An attempt to create a new account and explore other options was met with silence from the page. Again, this diverges from the expected behavior of a legitimate site and reinforces the suspicion of a phishing attempt.
Step 7: The Institutional Account Redirect
The deceptive website asks users to input their password for another institutional account, while the URL displayed as shown in Fig 8 remains misleading.
Step 8: Attempting an Outlook Account
When attempting to enter an Outlook account, the page displayed an error. This is a telling sign that the site may be highly targeted, designed to only accept entries from institutional accounts as shown in Fig 9.
Through these steps, we can see how this page is essentially a trap, built to trick unsuspecting people, especially those with institutional accounts. This situation shows us just how clever and sneaky phishing attacks can be.
Part IV: Identifying and Protecting Against AMP Phishing Attacks
Identifying and protecting yourself from such attacks require vigilance and an understanding of potential warning signs.
Check the URL: Examine the part of the URL after “https://www.google.com/amp/" to ensure it leads to a trusted site.
Verify Landing Page: Carefully check the displayed web address on landing page to ensure it matches the legitimate site it claims to be.
Verify Page Layout and Language: Look for discrepancies in the page layout and language.
Urgent Language is a Red Flag: Many phishing emails use urgent language to induce quick, unthinking action.
Use Two-Factor Authentication (2FA): 2FA adds an extra layer of security, preventing access even if login details are compromised.
Update Devices and Software: Regular updates often include security patches for potential vulnerabilities.
Part V: Google’s Measures and Future Outlook
Google has initiated changes to counter the misuse of AMP, altering the URL display in search results to show the actual domain name instead of the google.com/amp URL. Despite these measures, phishing tactics evolve continually, underscoring the importance of staying alert and informed about potential threats. Cyber education is integral for internet users, with regular information from service providers and companies about potential scams and self-protection measures.
