Scammers can take advantage of Google Search’s URL redirect feature, here’s how to avoid being scammed by them / Digital Information World

Cybercrime has been a threat to innocent internet users for a very long time. We constantly hear about online fraud, scams, phishing attempts and malicious URLs, and we also know that many high-profile individuals and organizations are also becoming targets of state-sponsored cybercrime.

You may receive an email from a trusted contact or a message telling you to click on a seemingly innocent URL; it’s possible you’ll end up clicking that link because you’d think it’s safe because it’s from someone you know.

Sometimes that link will direct you to Google and you’ll think it’s nothing big…but you’re wrong. Because there is a good chance that it is a phishing attempt!

Scammers often send a Punycode-encoded URL, which redirects the user to a similar but malicious site. Punycode is a way to convert words that cannot be written in ASCII to an ASCII encoding. It also allows international domain names that include non-ASCII characters to be encoded using only the Roman letters A-Z, digits 0-9, and the hyphen.

Sometimes scammers send open redirects in Google. By making the victim click on this link, they can redirect them to their own malicious sites, which usually take advantage of hacking legitimate sites to host their malicious content or act as middlemen.

They need this leverage on these sites because their own malicious sites are often blacklisted and their domains are usually not trustworthy either.

To put it simply, the crooks make the victim click on an unvalidated redirect or forward which prompts a web application to accept an untrusted input which causes the web application to redirect the user’s request to a contained URL in the untrusted input. These scammers basically change the untrustworthy URL input to a malicious site and then after getting the victim into a phishing scam, they steal their credentials.

In their modified link, they use the same server name as the original site or a legitimate site, thus making the phishing attempt less suspicious.

Sometimes these unvalidated redirect and forward attacks are also used to maliciously craft a URL that will mimic the control actions of the originating site. This will get them through the app’s access control seamlessly and then lead the scammer or hacker into privileged or secret functions that they wouldn’t be able to access under normal circumstances.



Thus, an open redirect to a legitimate website can be abusive and divert users from a legitimate and trustworthy site to another suspicious site. Unfortunately, these legitimate sites are all listed in the search index of browsers, and this is how these scammers get hooked on them for their scam attempts.

Google uses this URL for redirects: https://www.google.com/url

This URL will redirect you to any URL on the web if you add an appropriate URL parameter like this:

https://www.google.com/url?url=http://www.example.org

If a scammer tries to attack you, when you click on the link above, you will see that you will not be redirected directly to example.org. Instead, you’ll likely land on a Google webpage that warns you that the page you were on was trying to send you to an invalid URL.

But that doesn’t always happen. Sometimes the phishing URL has a second parameter, ‘sa=t’ and a third parameter ‘usg’ which can contain a unique identifier. For example:

https://www.google.com/url?sa=t&url=http://example.org/&usg=AOvVaw1YigBkNF7L7D2x2Fl532mA

This unique identifier is difficult to create, but if a site is listed in the Google search index, it has a “usg” which is easily retrieved from the source code of the search results page. This is where these hackers get their third settings, from listed sites!

Surprisingly, Google doesn’t take much notice of this vulnerability that scammers abuse, nor do they have a solid policy against them.

So, the only way to protect yourself is not to believe every message or email, even if it is sent by a trusted contact. If it seems out of context and random, and your contact doesn’t tell you the exact reason you asked to click on a link, consider it phishy and don’t fall for it unless you know it. confirm personally with your contact.

Also, check URLs before clicking under any circumstances.

Read next: Google decides to block resource-intensive ads that secretly drain your device’s battery and network data

Tip: Nakedsecurity from Sophos.

Comments are closed.