If you read my previous blog post about an undocumented ProtonMail feature, and how I’ve been receiving spam, well, then you know that I’ve been receiving spam from the same attacker.
The spammers are including a nefarious link, as one would expect. But here’s the interesting part: They’re using the actual google.com domain to trick filters and users into thinking it’s a safe link.
You see, there are lists with known bad domains, and after a malicious domain has been circulating for some time it will eventually end up on one of those lists which can be used by filters. Of course, google.com would never end up on one of those filter lists (except by mistake), so if you could somehow control google.com to spread your links, that would be the holy grail, wouldn’t it? Well, you can.
How it’s done
Say I want to email you with a link to my blog here at https://www.sindastra.de, but I fear it might get filtered…
First, we URL encode it (which translates special characters to be used in URLs):
Then we use Google’s convenient URL redirect feature…
And all of a sudden, you have a “safe link”. In this case, of course, it’s actually safe. But spammers can abuse this to spread links that are not safe.
While Google has put an additional step in place with a “redirect notice”, the point remains: The filters have already been tricked and the link arrived at the user.
Now think of all the other websites that exist, which are “trusted” but offer some redirect feature… Perhaps even fully automatic.
What can you do about this?
You can be aware of this issue, and take a closer look before clicking on links that seem safe at first glance. You can create awareness by linking to this article here.
What can filters and email providers do about this?
For the issue specific to Google, they could filter “google.com/url”.
For the issue with redirects in general, filters could perhaps run URL decoding over the email as a first step, to then find more links in the second step, and filter those.
What can Google do about this?
Google could add filtering themselves, and block redirects to known bad domains. I did look for some common filter lists, and tried some known malware domains and none were blocked, which makes me believe Google does not currently filter. They could, of course, also stop offering this redirect feature altogether.
As a software developer, whenever I have to create an API or something like this, I ask myself how it could be abused, and how I can prevent that. Why doesn’t Google?