In the ever-evolving landscape of cybersecurity threats, a new technique involving Google’s Accelerated Mobile Pages (AMP) is being increasingly used by cybercriminals for phishing attacks. As a widely respected and trusted platform, Google AMP has now unfortunately become a tool in the hands of these threat actors to bypass email security measures and sneak into the inboxes of unsuspecting enterprise employees.
Google AMP is an open-source HTML framework co-created by Google and 30 partners aimed at speeding up the load times of web content on mobile devices. These pages are hosted directly on Google’s servers where the content is simplified and some heavy media elements are pre-loaded for faster delivery.
Leveraging the reputable status of Google, threat actors are embedding Google AMP URLs in phishing emails. This is designed to prevent email protection technology from marking these messages as malicious or suspicious. These AMP URLs act as a redirect to a malicious phishing site, adding another layer that hampers analysis and increases the complexity of the threat.
According to a report by anti-phishing protection company Cofense, phishing attacks employing Google AMP have significantly increased towards mid-July, indicating a trend of adoption among cybercriminals. The study reveals that approximately 77% of the observed Google AMP URLs were hosted on google.com and 23% on google.co.uk.
Blocking these common “google.com/amp/s/” paths would inevitably impact all legitimate uses of Google AMP. Instead, it may be more appropriate to flag these URLs, alerting recipients to potentially malicious redirects.
Beyond just using Google AMP URLs, threat actors are employing additional stealthy techniques to avoid detection. For instance, many phishing emails contain image-based HTML content instead of traditional text bodies to confound text scanners that look for common phishing terminologies.
In some cases, attackers also introduce an additional redirection step, using a Microsoft.com URL to lead the victim to the Google AMP domain and finally to the actual phishing site. Cloudflare’s CAPTCHA service is another tool in the arsenal of these threat actors, used to obstruct automated analysis of phishing pages by security bots and preventing them from accessing these sites.
The increasing sophistication and multi-layered nature of these phishing attacks pose significant challenges for both targets and security tools. The integration of several detection-evading techniques makes it harder to identify and block these threats, underscoring the need for constant vigilance, regular updates of security measures, and cybersecurity education among employees.
In an era where cybersecurity threats are continually evolving, it is critical to keep abreast of the latest techniques employed by threat actors and take preventive steps to protect enterprise data and systems.
“As defenders rely on an increasing number of protective layers in their environments, so do cybercriminals who add new analysis-thwarting measures.
Abusing Google AMP in phishing attacks is a clever way that malicious actors have discovered to bypass the usual email security measures and defense tactics, so it remains pivotal that people verify any links before clicking on them. This case clearly shows that using a mix of a small number of genuine links leading to legitimate services with good reputation and clickable images within an email can help attackers bypass some of the current anti-phishing security measures.
While it makes phishing attacks increasingly challenging to identify, a combination of user awareness and high-quality technology remains pivotal in detecting and preventing threats such as this one.”