Phishing campaigns are using Google AMP URLs to avoid detection

Summary

• AMP is an open-source HTML framework that makes web content load faster on mobile devices.
• Researchers have found a new phishing tactic that uses Google AMP to make URLs look trustworthy.
• The tactic involves using the URL of a web page cached by the Google AMP Viewer. This URL looks similar to the original URL, but it is actually served from the google.com domain.
• This gives the malicious website the legitimacy of the google.com domain, which can trick users into entering their personal information.
• The researchers found that the Google AMP URLs have proven to be very successful at reaching users, even in environments protected by secure email gateways.
• Along with using Google AMP URLs, the researchers also saw other techniques being used in phishing attacks, such as open redirects on trusted domains, chains of redirects linking the AMP URL to the malicious site, image-based phishing emails, and CAPTCHA services to disrupt automated analysis.
• To avoid phishing attacks, it is important to not take things at face value for messages requiring urgent attention. It is also important to use a phishing-resistant password manager and a FIDO2 2FA device.