Exploiting Google on the Cheap

By Eric Howes, KnowBe4 Principal Lab Researcher. So, maybe you're a bad guy who doesn't have fancy code monkeys who can cook up an exploit that effectively converts Google into a phishing platform, as happened back in May of 2017, or even do something like the more recent trick using fake address bars in Google's Chrome web browser to hook gullible users. Despair not. There is hope for you yet, for you can still use Google to pull a fast one on users. If you're clever enough.

Here's how it works.

First, you hit your marks with a run-of-the-mill phishing email pushing a fake online order.

google-fail-1

The money link in that phish points to a simple doc that you're hosting on Google Docs.

google-fail-2

Note the repeated assurances of safety and security in this spoof of Google's standard URL redirection warning. Of course, those reassurances are just as phony as the email that brought users here in the first place.

What's more, when users click that malicious redirect they will encounter a real Google redirect notice...

google-fail-3

...which says nothing to contradict what you told potential marks in that fake redirect notice.

Most users will simply click through this second redirect notice, which takes them to a malicious Word doc hosted on a site outside of Google.

google-fail-4

Of course, the problem here is the sheer number of clicks and redirects that users must tolerate. Do not doubt, though, that more than a few users will be suckered by this simple ruse. Even users whose faith begins wavering when they hit the real Google redirect notice and elect to "return to the previous page" will simply be dumped right back at your fake redirect notice, with its soothing assurances that all is right with the path they are on.

That's it. No cleverly written apps. No surreptitious attempts to sneak malicious code onto Google's servers. Just a cleverly worded redirect that spoofs Google's own redirect notice.

The great irony, of course, is that the fake Google redirect notice claims to have checked the redirect link for safety -- something that maybe the real Google redirect notice should have actually done itself.

Find out how affordable new-school security awareness training is for your organization. Get a quote now.

Secure the Digital Workforce: Human + AI

KnowBe4 empowers the modern workforce to make smarter security decisions every day. Trusted by more than 70,000 organizations worldwide, KnowBe4 is the pioneer of digital workforce security, securing both AI agents and humans. The KnowBe4 Platform provides attack simulation and training, collaboration security, and agent security powered by AIDA (Artificial Intelligence Defense Agents) and a proprietary Risk Score. The platform leverages 15 years of behavioral data to combat advanced threats including social engineering, prompt injection, and shadow AI. By securing humans and agents, KnowBe4 leads the industry in workforce trust and defense.

Exploiting Google on the Cheap

Find out how affordable new-school security awareness training is for your organization. Get a quote now.

Secure the Digital Workforce: Human + AI

ABOUT ERIC HOWES

Subscribe the KnowBe4 Blog

Posts By Topic

Get the latest insights, trends and security news. Subscribe to CyberheistNews.

Get the latest insights, trends and security news. Subscribe to CyberheistNews.