By Eric Howes, KnowBe4 Principal Lab Researcher. So, maybe you're a bad guy who doesn't have fancy code monkeys who can cook up an exploit that effectively converts Google into a phishing platform, as happened back in May of 2017, or even do something like the more recent trick using fake address bars in Google's Chrome web browser to hook gullible users. Despair not. There is hope for you yet, for you can still use Google to pull a fast one on users. If you're clever enough.
Here's how it works.
First, you hit your marks with a run-of-the-mill phishing email pushing a fake online order.
The money link in that phish points to a simple doc that you're hosting on Google Docs.
Note the repeated assurances of safety and security in this spoof of Google's standard URL redirection warning. Of course, those reassurances are just as phony as the email that brought users here in the first place.
What's more, when users click that malicious redirect they will encounter a real Google redirect notice...
...which says nothing to contradict what you told potential marks in that fake redirect notice.
Most users will simply click through this second redirect notice, which takes them to a malicious Word doc hosted on a site outside of Google.
Of course, the problem here is the sheer number of clicks and redirects that users must tolerate. Do not doubt, though, that more than a few users will be suckered by this simple ruse. Even users whose faith begins wavering when they hit the real Google redirect notice and elect to "return to the previous page" will simply be dumped right back at your fake redirect notice, with its soothing assurances that all is right with the path they are on.
That's it. No cleverly written apps. No surreptitious attempts to sneak malicious code onto Google's servers. Just a cleverly worded redirect that spoofs Google's own redirect notice.
The great irony, of course, is that the fake Google redirect notice claims to have checked the redirect link for safety -- something that maybe the real Google redirect notice should have actually done itself.