A phishing attack leveraged Google's URL shortener, g.co, to mask malicious links. The attacker sent emails appearing to be from a legitimate source, containing a g.co shortened link. This short link redirected to a fake Google login page designed to steal user credentials. Because the initial link displayed g.co, it bypassed suspicion and instilled a false sense of security, making the phishing attempt more effective. The post highlights the danger of trusting shortened URLs, even those from seemingly reputable services, and emphasizes the importance of carefully inspecting links before clicking.
This GitHub Gist details a sophisticated phishing attack leveraging the perceived trustworthiness of Google's URL shortening service, g.co. The attacker crafts a deceptive URL that, at first glance, appears legitimate due to the presence of "g.co." However, this URL cleverly exploits a specific vulnerability in how browsers handle Unicode characters.
The core of the deception revolves around the use of a specific Unicode character, U+0300, known as the "combining grave accent." This character is designed to modify the preceding character by adding a grave accent mark. The attacker inserts this character after a Latin character that visually resembles a Cyrillic character used in the actual malicious domain. Specifically, the attacker uses a Latin "o" followed by the combining grave accent, which visually mimics the Cyrillic letter "о". While visually similar, these are distinct characters representing different underlying code points.
The phishing URL begins with the legitimate "g.co" prefix, followed by a slash and then the deceptive domain. A user observing this URL might quickly recognize the "g.co" and assume the subsequent characters belong to a shortened Google link. However, the subtle substitution of the Cyrillic "о" with the Latin "o" combined with the grave accent creates a visually identical but functionally different domain name. This leads the user to a website controlled by the attacker, disguised as a legitimate Google service.
The attacker further enhances the deception by potentially employing HTTPS and a valid SSL certificate on the malicious domain. This adds another layer of perceived legitimacy, as users are accustomed to associating HTTPS with secure and trustworthy websites.
The Gist emphasizes the insidious nature of this attack, as it bypasses typical user vigilance and exploits the inherent trust placed in shortened URLs, especially those associated with reputable services like Google. It highlights the difficulty in visually detecting such character substitutions, which can easily deceive even cautious users. The author underscores the seriousness of this vulnerability by pointing out its potential to compromise user accounts and sensitive information if the user interacts with the fraudulent site, mistaking it for a legitimate Google service.
Summary of Comments ( 76 )
https://news.ycombinator.com/item?id=42810252
HN users discuss a sophisticated phishing attack using g.co shortened URLs. Several express concern about Google's seeming inaction on the issue, despite reports. Some suggest solutions like automatically blocking known malicious short URLs or requiring explicit user confirmation before redirecting. Others question the practicality of such solutions given the vast scale of Google's services. The vulnerability of URL shorteners in general is highlighted, with some suggesting they should be avoided entirely due to the inherent security risks. The discussion also touches upon the user's role in security, advocating for caution and skepticism when encountering shortened URLs. Some users mention being successfully targeted by this attack, and the frustration of banks accepting screenshots of g.co links as proof of payment. The conversation emphasizes the ongoing tension between user convenience and security, and the difficulty of completely mitigating phishing risks.
The Hacker News thread discussing the phishing attack involving g.co has a significant number of comments exploring various facets of the issue. Several commenters express surprise and concern that Google's own URL shortener was leveraged in this attack, highlighting the perceived irony and the potential erosion of trust. Some discuss the technical mechanics of how the attack likely worked, including the use of Unicode characters to create lookalike domains or exploiting vulnerabilities in open redirects.
A recurring theme is the difficulty in identifying phishing attempts, especially with shortened URLs. Commenters debate the responsibility of URL shorteners in preventing such abuse and whether Google should implement stricter validation or warning systems for g.co links. Some suggest alternative approaches, such as displaying the full target URL on hover or requiring explicit user confirmation before redirecting.
Several users share their personal experiences with similar phishing attacks, emphasizing the increasing sophistication of these schemes. Some discuss the limitations of current security measures, including email filters and browser protections, and the need for greater user education and awareness. The role of two-factor authentication is also discussed, with some arguing that it would have mitigated the effectiveness of this specific attack.
A few commenters dive into the legal and ethical implications of using g.co for phishing, questioning Google's liability and potential responses to the issue. They also explore the broader implications for URL shorteners and the challenges in balancing usability with security. Some express skepticism about the long-term viability of URL shortening services in light of these security concerns.
A smaller subset of the comments offer technical advice on how to identify and avoid phishing attempts, including checking the full URL, being wary of suspicious emails, and enabling stronger security settings. There's also some discussion of the potential for browser extensions or other tools to help users identify potentially malicious shortened URLs.
Finally, a few commenters offer more cynical perspectives, suggesting that such attacks are inevitable and that users should ultimately be responsible for their own security. Some express resignation to the constant threat of phishing and the difficulty in completely eradicating such scams.