Cenzic 232 Patent
Paid Advertising
web application security lab

Phishing Through Google (Yet Again)

This isn’t new, but a few different people sent me a link to how Google is yet again being used for phishing. Don’t trust those Google links! I hate to say I told you so but when Google fixed that one single redirect hole and left the dozens of others in place I warned that this might happen.

When you leave one redirect hole in place it doesn’t matter that you closed another one. It’s a mild annoyance at best to a phisher. So this will continue to be a problem until they are all fixed. People will continue to click on those links and the anti-phishing software will continue to not be able to blacklist them because Google doesn’t like to be blacklisted. Google is plenty happy to warn people not to click on other sites that may contain malware, though (sense some hypocrisy there?).

I’m hoping their executive management wakes up and smells the coffee. It’s something I’ve been saying for over a year now, and we are no closer to having it solved. Worse yet, it’s screwing over the consumers!

12 Responses to “Phishing Through Google (Yet Again)”

  1. bobloblaw Says:

    Every search result link is redirected:
    http://www.google.com/url?sa=t&ct=res&cd=1&url=http%3A%2F%2Fha.ckers.org%2F&ei=zqJQRvHgFZ-GhQPPi-WkDQ&usg=AFrqEzcjsCiPQEw_tyAATI7KIu2aBWZmxw&sig2=-KqsQPZdMYfEzFz_8Qu57g

    Open redirectors make this marginally easier. Congratulations for noticing this. Here’s a biscuit.

    Abuse of open redirectors is just a symptom of the disease. As long as users can easily be tricked into giving up their login details, you’re fighting a losing battle.

    I think it is more worthwhile to work on the user UI, authentication, and credential management side. There are a lot of really interesting ideas out there that I think have the potential to prevent people from getting phished in the first place.

  2. RSnake Says:

    I am sensing some sarcasm. Why is it that people who have anything vaguely negative to say (while ironically agreeing with me) fail to tell us who they are? Is it because they know they will get flamed by people who know 100x what they could ever hope to know on the topic? That’s my running theory, and I have yet to be proven wrong. Feel free to try though. I always get the self proclaimed experts coming out of the woodwork whenever I talk about redirectors. Let’s hear your obviously original and completely ingenious approach. I am ready to be astonished by your intellect.

    Redirects don’t make it marginally easier. It has nothing to do with ease. In fact, it makes it marginally harder because they have to find and rely on the redirector not breaking. It does, however, make the fraud systems that rely on white/blacklisting fall down (the really interesting ideas you mentioned). They cannot mark Google as a phishing site, nor can they even visit the site, because the site has been marked as “not a phishing site” even though you CAN put a phishing site on Google’s properties. Yes, all of these systems could be dramatically enhanced, but in lieu of that, let’s talk about where we are, shall we?

    Google is trusted not just by the people clicking on the links but also by the fraud systems - even though they shouldn’t be trusted by either. The loosing battle that you are talking about only applies to a handful of sites that are white listed. And if you don’t want to fight the symptoms why bother taking down phishing sites at all? What was I thinking? I’m glad people like you are here to set me straight.

    Yes, there are other systems that can help, but if they have this same flaw that they trust Google (which obviously they shouldn’t) it pretty much renders them useless. Yes, you could code it out of the systems but that then means that they are manual and no longer programmatic.

    I’m not quite sure what you meant “noticing” as other people sent it to me, it wasn’t my find, although I appear to be one of the very few people who get why it’s a problem worth talking about (other than the phishers, that is). So no biscuit required. Please get a clue and come back when you realize you aren’t talking to a newb, kthanks.

  3. Ronald van den Heetkamp Says:

    Robert, why is this left open by Google? and correct me if i’m wrong but isn’t this easy to patch by just only allowing *.google.* domains.

  4. RSnake Says:

    Ronald - what you’re referring to is a white list approach, which will work, but you couldn’t just do *.google.* (not just because that regex is flawed, but…) because it would break the functionality desired by the reason they build it in the first place. They built a redirector so they could you using their site. That unnecessary business function requires that the user be able to go anywhere on the web that Google links to so they can watch what you do. But yes, the basic premise would work as long as they white listed every site, or built a secure hashing function to make sure it was intended to be linked to.

  5. bobloblaw Says:

    My apologies if my tone and tenor implied you were a “newb” rather than a published security visionary.

    Every single search result displayed by Google, Yahoo, and Ask.com is a redirected URL. Even if they all shut down every open redirector tomorrow, it ultimately would not make a difference.

    A phisher just needs to get a site indexed to obtain a redirected URL originating from google.com, ask.com, or yahoo.com. Those search engines use redirected URLs in their search results in order to collect click-through data. Obviously, which search results people click on is useful in determining which search results are relevant to a query.

    Of course, you must already know this, because as you said, you know 100x more than I do about the topic. I’m sure the executive management of the three major search engines will eventually “wake up and smell the coffee” due to your dedicated vigilance on the issue.

  6. RSnake Says:

    Uhh… I don’t follow your logic. If we closed down all the redirectors today how would that not make a difference? Maybe it wouldn’t make a difference in the number of phishing sites (as that has an inverse relationship with the effectiveness of the sites anyway) but it does provide value.

    Yes, it’s clear why Google uses redirectors, it just provides no value to consumers as there are other (safer) ways to do the same thing that would still provide the same indirect value to consumers by allowing Google to track the user’s actions (I’ll defer to the usefulness that a consumer derives from having every click tracked). That can be mitigated by hashes or by white lists as previously mentioned in the comments above and elsewhere on the site. Since Google doesn’t do that, it continues to be open.

    Yes, I did know all of this (also as mentioned above). And again, I can’t tell if that last comment is sarcasm, but as a matter of fact it has made a difference to talk about this (or the one redirector would still be open). As they have admitted that this is a hole (by fixing it) they now assume the responsibility of fixing the rest of them - lest not solving 95% of the problems in failing to do so.

    And your logic in getting themselves indexed is pretty flawed too, as that requires the user to search for whatever is found in the phishing site and then click on it manually. If you’re referring to the redirect in Feeling Lucky - yes, I agree and that proves my point - otherwise, user required actions make it far less effective as phishing attack.

    Just because you don’t understand why it’s a problem doesn’t make it not a problem. Ask yourself why phishers are using it if it isn’t helpful to them. What could the people who actually make money off this attack (and I) possibly know that you don’t?

  7. Kishor Says:

    MAy be I’m getting it wrong, but what this guy means to say is that the following link wouldn’t work because its not indexed by google
    http://www.google.com/url?sa=t&ct=res&cd=1&url=http%3A%2F%2Funknown.com%2F&ei=zqJQRvHgFZ-GhQPPi-WkDQ&usg=AFrqEzcjsCiPQEw_tyAATI7KIu2aBWZmxw&sig2=-KqsQPZdMYfEzFz_8Qu57g

    but this will work
    http://www.google.com/url?sa=t&ct=res&cd=1&url=http%3A%2F%2Fwww.google.com%2F&ei=zqJQRvHgFZ-GhQPPi-WkDQ&usg=AFrqEzcjsCiPQEw_tyAATI7KIu2aBWZmxw&sig2=-KqsQPZdMYfEzFz_8Qu57g

    So this gives me a feeling that google has a whitelist (everything thats indexed by it). But I agree that these holes are to be fixed as getting yourself indexed is not a big deal.

    Right bobloblaw ?

    RSnake, I don’t get this,
    “and your logic in getting themselves indexed is pretty flawed too, as that requires the user to search for whatever is found in the phishing site and then click on it manually”

  8. bobloblaw Says:

    “And your logic in getting themselves indexed is pretty flawed too, as that requires the user to search for whatever is found in the phishing site and then click on it manually.”

    This is incorrect. There is no need to have the user search for anything. This is just a plain ol’ phishing attack with links you can pass around in regular email. Here’s how it works:

    1. Get an innocuous site indexed.
    2. Search for your site. Copy the redirected link in the search result. For example:
    http://www.google.com/url?sa=t&ct=res&cd=1&url=http%3A%2F%2Fha.ckers.org%2F&ei=zqJQRvHgFZ-GhQPPi-WkDQ&usg=AFrqEzcjsCiPQEw_tyAATI7KIu2aBWZmxw&sig2=-KqsQPZdMYfEzFz_8Qu57g
    http://wzus.ask.com/r?t=p&d=us&s=a&c=a&l=dir&o=333&ld=3153&sv=0a30051a&ip=43a40c1a&id=2626D30C34846F388036877F91E8BCA1&q=ha.ckers.org&p=1&qs=0&ac=24&g=181fHd41%lORMH&en=te&io=0&ep=&eo=&b=alg&bc=&br=&tp=d&ec=10&pt=ha.ckers.org%20web%20application%20security%20lab&ex=&url=&u=http://ha.ckers.org/
    http://rds.yahoo.com/_ylt=A0oGkjF7MVFG4nEA77FXNyoA;_ylu=X3oDMTFkNWhsaWwzBGNvbG8DdwRsA1dTMQRwb3MDMQRxdANkcQRzZWMDc3IEdnRpZANGODYxXzEyMQ–/SIG=118i08rbr/EXP=1179812603/**http%3a//ha.ckers.org/
    3. Replace your innocuous content with a phishing site. Add “noindex” and “nofollow” meta tags for shits and giggles.
    4. Carry out a plain ol’ phishing attack with original link. No need to have the user search for anything.

    Signing the URL doesn’t help you here. The search engines will sign URLs to whatever they index, since up to the point where you swap in the phishing content, everything is kosher.

    Generating dynamic, one-time redirect links in search results doesn’t help either. Users cut and paste search results all the time and legitimately send them in email. That would break if a search engine only redirected to a link one time.

    This problem will not go away without drastic changes to the way all the major search engines display their search results. As fate would have it, Live.com is the only major engine that doesn’t redirect like this. They also have the least relevant search results and smallest market share. That’s not a coincidence.

    Granted, open redirectors do make things easier for phishers because there is no time lag to get indexed, and they might be on more convincing subdomains. They are low-hanging fruit that should be fixed for the sake of fixing. However, phishers will still be able to use search result redirect links for the foreseeable future.

  9. RSnake Says:

    Okay, that makes a lot more sense. I thought you were saying sending them to the search results page, or making people manually search - my apologies. However, you’re still not entirely correct. Whitelisting will fall down in this case, but hashing doesn’t have to. It can be a hash based on a number of things, not the least of which is your session information. If the session information is invalid for whatever reason you can simply ask the user if they intended to click the link and that the link is not endorsed or sponsored by them. That way the only person you can phish is yourself.

    But honestly, those solutions are terrible anyway. In the age of JavaScript why is this even necessary? If 99.9% of users have JS installed, and they have to believe that or their navigation disappears (try it if you don’t believe me), why not just do tracking in JS? It seems silly to create a hole for something so trivial. They already do most of their security functions for Adsense in JavaScript space anyway. Unless they really want to track the robots performing functions on their site for some reason….

    Regarding live.com - if the rumors are true and they buy overture’s search technology through Yahoo, I’ll definitely be moving my searches to them. :) I have no allegiance to anything but the best technology and IMO Google is a distant second to Overture (http://search.yahoo.com). Phishers, on the other hand, only care about name brand recognition - therefore Google is the worst offender, as a result.

  10. Dragos Lungu Says:

    I’ve witnessed something similar to this : paypal phishing using adsense redirect and i captured the traffic and posted the results here :

    http://www.dragoslungu.com/2007/04/16/paypal-phishing-exploiting-google-adsense-redirect/

    I have yet to see the day when adsense / YPN / [insert ad network] links will get blocked by http inspection tools :)

  11. MustLive Says:

    RSnake, I saw this redirector some days before your post. I found it at nion’s site. It is useful to look at sites which are linking to you ;-) (because it’s possible to find something interesting).

    I will post a lot of redirectors (this one and many others at different search engines) in MOSEB project. It will be at 30th day of MOSEB.

  12. John Nagle Says:

    There aren’t that many “open redirectors” being exploited. We now have a list, automatically updated every three hours:

    http://www.sitetruth.com/reports/phishes.html

    This lists every base domain that’s in both PhishTank (being used for a phishing scam) and DMOZ (indicating a site with a known reputation). There are only 164 base domains listed today. That covers most attempts to use the reputation of a major site in support of a phishing scam. This includes open redirectors, site break-ins, phishing accounts on major hosting services, upload sites, and servers out on DSL lines.

    164 broken domains is a fixable problem. We just have to keep the pressure on those sites. SiteTruth is down-rating them as long as they remain in PhishTank.