Google AMP – A security flaw tied to Google’s Accelerated Mobile Pages (AMP) was used in phishing campaigns aimed at journalists, including at least one attack that successfully accessed a journalist’s Gmail and published documents online. The episode also fed criticism fr
A phishing campaign built to look like a legitimate Google password alert didn’t just target one account.. It repeatedly reached journalists investigating corruption and other wrongdoing tied to people affiliated with the Russian government. using a flaw in how Google’s Accelerated Mobile Pages (AMP) are cached and served on mobile browsers.
The core of the problem centers on Google’s implementation of a newer web standard it has promoted as Accelerated Mobile Pages (AMP).. Launched in late 2015. AMP is designed to serve simpler versions of websites so they can load faster on smartphones. especially over slower data connections and on devices with less powerful microprocessors.. To speed things up further. Google preloads cached copies of AMP pages that appear in search results so they can load instantly when clicked—an approach that requires the background loading to use cached pages accessible via Google.com URLs.
Pre-rendered AMP pages built from Google’s system can show the originating domain at the top of the page content area. but the address bar in a mobile web browser nonetheless displays a Google website address.. The disclaimer that indicates where the page actually originates can disappear as a user scrolls. while the Google address in the browser remains.. The effect has been demonstrated in a video embedded with the reporting.
Critics of AMP said those design choices blur the true URL. restrict how sites can present themselves to readers. and encourage users to stay within Google’s ecosystem.. John Gruber. writing shortly after AMP was unveiled. asked: “Why would any website turn their entire mobile audience — a majority share of their total audience. for many sites today — over to Google?” Other technical critics pointed to AMP’s potential for abuse. arguing that because AMP webpages can be accessed through Google addresses. they can appear more credible than random domains or blog platforms such as WordPress.
Those concerns also fed broader criticism from the web publishing industry.. Tech journalist Kyle Chayka noted that AMP and Facebook’s competing “Instant Articles” can give junk websites publishing nonsense or conspiracy theories the same kinds of visual features as legitimate news sites. making it harder to separate real reporting from fake.
Cybersecurity researchers and developers also warned that Google’s caching and link behavior created a practical target for cyber-criminals who steal credentials through phishing.. A common tactic is to send fake security alerts that look like legitimate company messages and push targets to plausible-looking websites created to capture passwords.. Network administrators have increasingly told users not to click on password reset links that lead to different domains.. But because AMP uses Google.com addresses for cached content. Gmail users—and people using Google apps for institutional use—can become more vulnerable. as phishers can direct users to malicious sites while still using official-looking “google.com” web addresses.
The warning was not subtle in the public discussion around AMP’s design.. Web programmer Ray Etornam wrote to Google. describing it as “a serious bug in my opinion. ” and filed a report on the software development site Github last November about how fake news publishers could use AMP to gain legitimacy.. In response. Christian Gloddy repeatedly tried to warn Google about the security implications. writing: “The most common advice to avoid phishing and scams is ‘check the domain in the address bar.’ Not at the text that might be below the address bar.”
Malte Ubl, the company employee in charge of AMP, pushed back insistently.. He argued: “The Google Search viewer clearly attributes the original domain at the top. ” and added. “I don’t agree that an unsophisticated user could be fooled by this.” Even so. other participants in the thread remained skeptical.. John Pettitt. co-founder of a credit card payment system called CyberSource. wrote: “I think this issue is going to bite Google when least expected and in a very public and negative way.”
When Google defended AMP. hackers tied to a Russian government-linked cyber-criminal group were using the same flaw to try to steal passwords from Gmail users.. The hacking team—sometimes referred to as Fancy Bear. Strontium. or APT28—was described as having a legendary reputation even before allegations of participation in a series of cyberattacks against organizations affiliated with the Democratic Party last year.. Microsoft executive vice president Terry Myerson said Fancy Bear was responsible for more viruses using previously unknown vulnerabilities than any other hacking confederation.
Thus far. the people known to have been targeted through a Google AMP exploit appear to have been journalists investigating allegations of corruption or other wrongdoing by people affiliated with the Russian government.. One target was Aric Toler. a researcher and writer for the website Bellingcat focused on analyzing Russian media and the country’s relationship with far-right groups in Europe and America.. He was also part of a Bellingcat investigative team that uncovered evidence that Russian-backed rebels mistakenly shot down Malaysia Airlines Flight 17 over Ukraine in 2014. killing all 298 people on board.
A month before critics began warning about AMP’s security vulnerabilities. Fancy Bear used the flaw to target Toler in two separate fake password-reset messages sent to his personal account.. The messages were described as spear-phishing. combining standard phishing techniques with specific personal information gleaned via social media and public mailing lists.
On Oct.. 12. 2016. Toler received an email supposedly from Google warning that he had recently changed his security settings to enable older email programs to access his account.. The message warned: “Please be aware that it is now easier for an attacker to break into your account.” It invited him to click on a Google AMP URL redirected to a fake webpage designed to capture his email credentials and transmit them to hackers.
The next day. Toler received another message claiming to be from Google alerting him that “government-backed attackers may be trying to steal your password.” It instructed him to “Change password” by clicking on another Google AMP webpage.. The second message appears to have been crafted in response to a tweet Toler published on Oct.. 11 reporting that he received a legitimate email from Google warning him about “government-backed attackers.”
Those messages were not sent randomly.. They were among 14 emails he received in 2015 and 2016 attempting to extract his account information.. The earlier messages used a less-sophisticated fake link. one created using the URL shortener Bitly that many web-savvy users would recognize as something to avoid.. As the attacks continued, the phishing methods improved.
Despite the sophistication of the AMP-based approach, the attackers were described as sloppy.. They reused a free email account registered to annaablony@mail․com that had been used in several previous operations. including creating a domain used in a phishing attack that the cybersecurity firm ThreatConnect archived in its database of known hacker activities.
ThreatConnect said it analyzed the phishing emails received and identified connections to the Russian threat actor known as FANCY BEAR/APT 28/Sofacy.. The company said the emails tried to lure targets to a fake Google login page where they would enter credentials. and that the attackers leveraged both Google’s AMP services and link shortening services to obscure the fact that the page was not a legitimate Google site and to make it look readable on a mobile phone.
Toler and his Bellingcat colleagues did not fall for the AMP attacks. But another journalist who writes frequently about Russia, David Satter, was taken in by a similar AMP phishing message sent via the annaablony@mail․com address.
Shortly after Satter visited the fake website and entered his password. a program hosting the site logged into his Gmail account and downloaded its entire contents.. Within three weeks. the perpetrators began posting Satter’s documents online and even altering them to make opponents and critics of Russian President Vladimir Putin look bad.
The episode sharpened AMP critics’ argument that even advanced web users can be fooled by a malicious AMP webpage.. John Gruber wrote that “A huge reason that phishing works is that most people just aren’t technically savvy enough to tell a phony-looking URL from a legitimate one. ” and added that “But a URL that really is coming from the google.com domain — that’s the sort of link that even a web developer might think looks legit. especially at a glance.”
Google’s project lead, Malte Ubl, was described as publicly dismissive of external developers criticizing AMP.. Google said it has “made a number of changes” to its implementation, but would not explain what they were.. In a statement before the story was published. Google said AMP links are protected by its “Safe Browsing” technology. without specifying when it was implemented.
After publication, a Google representative said Safe Browsing screening of AMP addresses was implemented in early January of 2017.. Under the system described. AMP URLs created via a webpage are first visited by a Google security scanner that attempts to verify whether they have malicious content.. “Every AMP page that can be linked to through google.com/amp has at least been ‘visited’ by Google’s system. ” a company representative said.. If Google has not pre-screened a webpage. an AMP redirect displays a “redirect notice” telling the user that they are being taken to a different address and offering an option to return to the last site visited “If you do not want to visit that page.”
The notice was described as potentially unhelpful for computer novices resetting passwords because it is written in web developer jargon and does not explain that clicking the link could be hazardous.
As the reporting was being researched and contact was made for comment, Ubl blocked public comments on the Github bug report about Google’s AMP implementation. At press time, Google was still serving AMP webpages listed in search results from the Google.com domain.
One example described involved a fake news website claiming Google was suppressing evidence about the existence of the imaginary planet Nibiru.. In a February update. Ubl wrote: “More things … will come on Google’s side in the future and we are working with browser vendors to eventually get the origin right.”
Even with assurances, some people in the large web media business were described as becoming nervous.. Jason Kint. CEO of a web publishing trade association called Digital Content Next. which counts most U.S.-based television networks. the New York Times. the Washington Post. and other prominent websites as members. said AMP’s security issues were troubling and tied to a broader concern that “consolidation of power and closed standards” are problematic.. He added: “The sooner AMP migrates to the open web and becomes less tied to the interests of Google. in every way the better.”
The reporting also said the story had been updated to include information about a partial fix to the AMP security issue described in the article.
The pattern that surfaces across the bug warnings and the later attacks is tight: developers objected that the address bar keeps showing “google.com” even as the origin disclaimer can vanish while scrolling. and the phishing campaigns were described as deliberately using Google’s AMP services plus redirect behavior to make malicious pages look readable and legitimate on mobile devices.
By the time Safe Browsing screening for AMP addresses was described as being implemented in early January of 2017. attackers had already used the same AMP-linked flaw in credential theft attempts. including Oct.. 12 and Oct.. 13. 2016 messages aimed at Aric Toler and a later AMP phishing incident tied to annaablony@mail․com that led to David Satter’s Gmail contents being downloaded and posted online within three weeks.
United States politics federal government Congress White House US foreign policy cybersecurity Russia hackers Google AMP phishing journalism