Crooks can leverage Google Search's URL redirecting feature, Here's how to avoid being swindled by them

Cybercrime has been posing a threat to innocent internet users for a very long time. We keep hearing about online frauds, scams, phishing attempts, and about malicious URLs too, and we also know that many high-profile individuals and organizations become a target of state-sponsored cybercrime also.

There may be instances when you receive an email from a trusted contact, or a message prompting you to click on a seemingly innocent URL; there is a chance that you might end up clicking on this link because you would think that it is safe as it is from a person you know.

Sometimes, this link will direct you to Google and you will think that its nothing big...but you are wrong. Because there is a high chance that it is a phishing attempt!

Scammers often send a Punycode encoded URL, which redirects the user to a same-looking yet malicious site. Punycode is a way of converting words that can’t be written in ASCII, into an ASCII encoding. This also enables to encode International Domain Names that include non-ASCII characters by using only the Roman letters A to Z, the digits 0 to 9, and the hyphen character.

Sometimes, scammers send Open Redirects in Google. By making the victim click on this link, they can redirect them to their own malicious sites, which usually take leverage by hacking into legitimate sites for either hosting their malicious content in it or to act as intermediaries.

They need this leverage to these sites because their own malicious sites often get black-listed, and their domains are usually not trust-worthy too.

To put it simply, scammers make the victim click on an unvalidated redirect or forwards, which prompt a web application to accept untrusted input that causes the web app to redirect the user request to a URL contained within the untrusted input. These scammers basically modify the untrusted URL input to a malicious site and then after launching the victim into a phishing scam, they steal their credentials.

In their modified link, they use the same server name as of the original or a legitimate site, thus making the phishing attempt less suspicious.

Sometimes, these unvalidated redirect and forward attacks are also used to maliciously craft a URL that will mimic the original site’s control actions. This will make them pass through the application’s access control check without any problem, and then lead the scammer or hacker to privileged or secret functions that they would not be able to access under normal circumstances.


So, an open redirect to a legitimate website can be abused and make the users go from a legitimate trustworthy site to another site which is suspicious. Unfortunately, these legitimate sites are all listed sites in the search index of browsers, and that is how these scammers latch to them for their scamming attempts.

Google uses this URL for redirects: https:/www.google.com/url

This URL will redirect you to any URL on the web if you add an appropriate URL parameter like this:

https://www.google.com/url?url=http://www.example.org

If a scammer is trying to attack you, when you click the above link, you will see that you will not be redirected straight to example.org. Instead, you will probably land on a Google web page that will warn you about the page you were on was trying to send you to an invalid URL.

But this may not happen always. Sometimes the phishing URL has a second parameter, ‘sa=t’ and a third parameter ‘usg’ which might contain a unique identifier. E.g:

https://www.google.com/url?sa=t&url=http://example.org/&usg=AOvVaw1YigBkNF7L7D2x2Fl532mA

This unique identifier is hard to make, but if a site is listed on the Google search index, it has a ‘usg’ which is easily retrievable from the source code of the search results page. This is where these hackers get their third parameters, from listed sites!

Surprisingly, Google does not take much notice of this vulnerability to be abused by the scammers, and they do not have a solid policy against them either.

So, the only way to protect yourself is to not believe in every message or email, even if sent by a trusted contact. If it seems out of context and random, and your contact does not tell you the exact reason for asking you to click on a link, consider it phishy and do not fall into the trap unless you confirm it from your contact personally.

Also, check URLs before clicking in all circumstances.



Read next: Google decides to block resource-heavy ads that secretly drains your device battery and network data

Hat Tip: Nakedsecurity by Sophos.
Previous Post Next Post