Beware! Google AMP's use in phishing campaigns is on the rise
Security researchers at Cofense have noticed a rise in phishing campaigns that use Google's AMP technology to gain trust and evade detection.
Google describes AMP as a "web component framework to easily create user-first experiences for the web". Broken down to its core, AMP is designed to improve the performance of webpages, mostly on mobile, by limiting elements on these pages.
AMP, which stands for Accelerated Mobile Pages, has faced criticism since its introduction in 2015. Critics argue that AMP is another grab for power and control by Google.
Cofense explains in a blog post on its website that threat actors started to use Google AMP in phishing campaigns. The specialist observed an increase in the use of Google AMP domains for phishing purposes in May 2023.
One of Google AMP's features is that URLs are hosted initially on Google domains. The threat actors use the two domains https://www.google.com/amp/s/ and https://www.google.co.uk/amp/s/ to evade detection and increase trust.
A typical webpage powered by AMP uses the following syntax: https://www.google.com/amp/s/example.com/path
Many Internet users know that they should look at the domain name of a link before clicking on it. Those who are unaware of AMP may assume that the link is legitimate, as it is seemingly hosted by Google, one of the major Internet companies.
The campaign that Cofense discovered targets email login credentials, especially those of Enterprise-level employees. The initial campaign used the google.com AMP domain, but the attackers switched to using google.co.uk in mid-June. Approximately 77 percent of all URLs used in the phishing campaign were hosted on google.com and approximately 23 percent on google.co.uk.
The weekly volume of the attacks was highest in the weeks ending May 29th and July 10th, according to Cofense data.
The threat actors are also making use of image-based phishing emails. Unlike traditional phishing emails, which use links in text, image-based phishing emails use image links. These work well if clients allow HTML, as this is a requirement for image links to work in emails.
Image-based phishing emails make the detection difficult as they add "noise within the email's headers" and may obfuscate "security solutions that involve scanning email text" according to the researchers.
For Internet users, it is important to understand that AMP domains originate from trusted Google domains. While security software may block known phishing URLs, it is easy enough to create more using Google AMP or similar tools.
A quick but thorough inspection of the entire link is all that is required to detect the actual web address. An even easier option may be to distrust emails that contain Google links if these do not come from Google or a trusted contact. Even then, it may still be best to check the full URL just to be on the safe side.