Google AMP Exploited in Phishing Attacks Targeting Enterprise Users
Explore the exploitation of Google AMP in phishing attacks, its impact on enterprises, and how Keepnet's Redirect URL Analyzer detects and mitigates these threats effectively
2025-01-11
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
In 2024, phishing attacks accounted for over 36% of all data breaches globally, with sophisticated methods increasingly bypassing traditional security systems. One such tactic involves exploiting Google AMP (Accelerated Mobile Pages) to cloak malicious URLs under trusted Google domains, targeting enterprise users. In a notable incident, a multinational company suffered a breach via an AMP-based phishing attack, resulting in significant financial and reputational damage.
In this blog, we'll delve into how attackers exploit Google AMP, why these attacks are so effective, their challenges, and how to mitigate the risks with Keepnet's Redirect URL Analyzer.
What is Google AMP?
Google AMP is a framework designed to improve mobile web performance by hosting content on Google's servers. It enables faster page loading times by delivering streamlined versions of web pages, often used by publishers and enterprises to enhance user experience.
While beneficial for legitimate purposes, attackers leverage Google AMP's trusted infrastructure to bypass security measures, making it a prime target for exploitation.
How Attackers Exploit Google AMP in Phishing Campaigns
Google Accelerated Mobile Pages (AMP) is designed to enhance user experience by providing fast-loading mobile pages. However, cybercriminals are exploiting this feature to mask malicious URLs, making phishing campaigns appear more legitimate and bypass security filters:
Cloaking Malicious Links Behind Trusted Google Domains
Attackers disguise malicious links using Google AMP URLs, which often include "google.com" in their structure. When clicked, these links redirect victims to phishing pages while appearing credible due to the trusted Google domain.
For example, in 2024, a phishing campaign targeted employees of a large financial institution using Google AMP links. The attackers created fake login pages that mimicked the company's internal systems. Once employees entered their credentials, the attackers gained access to sensitive financial data, resulting in a significant breach.
Visit this link to see how you will be redirected to our website through Google’s AMP redirection process.
Enhancing the Credibility of Phishing Pages
Phishing pages hosted on Google AMP domains inherit Google's SSL certificate, lending an additional layer of trust. This tactic significantly reduces skepticism among users, increasing the likelihood of successful credential harvesting.
Why Google AMP Phishing Attacks are Effective
Google AMP phishing attacks are effective because they leverage Google's trusted domain, making malicious URLs appear legitimate to users and security systems.
Bypassing Traditional Security Measures
Traditional email security tools often fail to flag Google AMP links as malicious, given their association with legitimate Google infrastructure. This enables attackers to infiltrate even well-guarded systems.
In the below example, the malicious link scanned by Virustotal is detected as malicious or phishing. But with Google’s AMP link, none of the security solutions marked this url as malicious.
2. Leveraging Trust in Google Infrastructure
Users are conditioned to trust Google domains, making them more likely to click AMP links without suspicion. This inherent trust is a cornerstone of Google AMP phishing success.
Challenges in Detecting Google AMP Exploitation
Difficulty in Identifying Malicious Intent
Google AMP URLs often redirect multiple times, making it difficult to identify the final malicious destination without sophisticated analysis tools. This allows attackers to obscure their intent effectively.
- Region-based restriction: Attackers apply location-based redirection.
- User-agent control: Specific user-agent restrictions.
- Sandbox detection: Identifies sandbox products and redirects URLs accordingly.
- JavaScript challenges: Implements advanced techniques to evade detection.
2. Limitations of Conventional Security Tools
Standard URL analysis tools often lack the capability to trace complex redirect flows, leaving organizations vulnerable to attacks leveraging AMP exploitation. Below examples show some challenges that conventional security tools couldn’t detect all URLs in the redirection chain.
- HTTP redirect URLs can be used to obscure malicious redirection without detection.
- Embedded URLs within links often evade detection during routine analysis.
- Meta Refresh redirects in page sources remain unidentified without advanced inspection tools.
- JavaScript-based redirection requires sophisticated emulation to detect.
- JavaScript execution often demands robust sandbox environments to ensure secure analysis, which many tools lack.
Analyze Phishing URL with Keepnet Incident Responder
Analyzing phishing URLs can be complex due to sophisticated obfuscation techniques used by attackers. Keepnet Incident Responder simplifies this process with advanced tools designed to detect hidden threats in redirect flows. Below, we will demonstrate a real-world phishing URL analysis using Keepnet Incident Responder, showcasing how it identifies and mitigates risks effectively.
Example of a Phishing URL Scan
Using the tool available at Free Phishing Analysis, you can analyze URLs and their redirect chains. The screenshot below illustrates an actual scan process, highlighting how the tool tracks and evaluates each redirection to uncover potential threats.
Mitigation and Prevention Strategies for Google AMP Phishing Campaigns
1 Security Awareness Training for Employees
Educating employees about the risks of clicking on links, even those appearing to originate from trusted domains, is essential. Comprehensive security awareness training can reduce human errors significantly.
2. Deploying Advanced Threat Detection Tools
Organizations need advanced tools capable of analyzing entire redirect flows. Keepnet Labs' Redirect URL Analyzer provides a cutting-edge solution by inspecting every URL in a redirect chain to identify malicious content.
How Keepnet's Incident Responder Works:
- Comprehensive Redirect Flow Analysis: Keepnet Incident Responder starts when a user reports an email using the Phishing Reporter button. The tool extracts URLs, attachments, and sender IP addresses from the email.
- Real-Time Threat Identification: It then communicates with analysis engines like VirusTotal, FortiSandbox, and Any. Run to gather intelligence. Additionally, with its redirect URL detection feature, it checks all URLs in the redirection chain, ensuring that no malicious link is overlooked.
- Seamless Integration: The insights from these analyses are integrated into existing security systems, significantly improving their effectiveness against sophisticated phishing attacks.
Using Keepnet’s Incident Responder, enterprises can stay ahead of attackers exploiting Google AMP, securing their digital environments effectively.
SHARE ON