Infamous Russian hacker group Fancy Bear recently exploited a flaw in Google’s AMP internet standard to target journalists investigating the Russian government or people affiliated with it.
Google refused to patch a serious vulnerability in AMP that allows hackers to create malicious sites using “google.com” web addresses.
Google’s Accelerated Mobile Pages (AMP) internet standard was recently designed and launched to optimise traditional websites for smartphones and also to ensure that such websites load faster even if data connections are slow.
According to Salon, to ensure quicker loading, ‘Google preloads copies of AMP pages listed in search results so they can be instantly loaded if they are subsequently clicked. The only way this background loading of pages can be accomplished is to give the cached pages Google.com URLs.’
While this makes browsing more convenient for smartphone users, security experts have, since AMP’s introduction, warned of a particular vulnerability in the feature that could allow hackers to conduct spear phishing attacks on unsuspecting users.
While hackers had limited chances of success by redirecting users to unknown links earlier, AMP offers them the opportunity to target victims with a huge degree of assured success. Thanks to AMP, hackers can now create malicious websites with Google.com domain names, thereby making users believe that the malicious websites are genuine ones.
How could Fancy Bear, a Russian hacker group with a reputation for exploiting vulnerabilities to conduct phishing attacks, let go of this opportunity?
Fancy Bear decided to exploit the AMP vulnerability to target a group of journalists ‘who were investigating allegations of corruption or other wrongdoing by people affiliated with the Russian government’, said Salon.
Hackers belonging to the group targeted Aric Toler, an investigative journalist, as well as several of his colleagues with fake password-reset messages sent to their personal accounts.They were asked to click on Google AMP URLs to reset their passwords in order to save themselves from hacking attempts. These AMP URLs redirected to fake websites designed to steal credentials from unsuspecting visitors.
While Toler and his colleagues did not fall for the phishing scam, another journalist named David Satter, who also covered topics related to Russia, fell victim to the scam. Once he received a password reset email, he clicked on the accompanying Google AMP URL and was redirected to a website which stole his credentials. Soon afterward, a malicious program logged into his personal account and downloaded all its contents. A number of Satter’s documents were later published online and even altered by hackers to defame Putin’s opponents.
“A huge reason that phishing works is that most people just aren’t technically savvy enough to tell a phony-looking URL from a legitimate one. But a URL that really is coming from the google.com domain — that’s the sort of link that even a web developer might think looks legit, especially at a glance,” said John Gruber, a software developer.
Despite Fancy Bear successfully exploiting the AMP vulnerability, Google has done little to assure critics and developers that it is serious about fixing the issue. The company says that it is protecting AMP URLs with ‘Safe Browsing’ technology, but the same keeps an eye on multiple login attempts or mass reports and will not stop low-scale phishing scams.
While Google has promised to do more, critics are urging the company to delink AMP from its own interests and to make the platform a facilitator for the Open Web by showing original domain names instead of Google AMP URLs. This way, hackers will not be able to use the Google URL to scam users, and domain owners will also get recognition for the content that they publish.
“This report of an ongoing security issue is troubling and exactly why consolidation of power and closed standards are problematic. The sooner AMP migrates to the open web and becomes less tied to the interests of Google, in every way the better,” said Jason Kint, CEO of a web publishing trade association, to Salon.