For most web savvy users, checking the URL to ensure that it is a legitimate google.com URL is pretty standard, and ensuring that everything before the first / looks legitimate.  Many phishers and hackers use URLs like www.google.com.someotherurl.com/blahblah.html to disguise links (for reference, the bolded part shows the true domain – the google.com part of it are merely set up as subdomains of the true domain).

But now phishers are using google.com AMP URLs to take advantage of people who check specifically for the domain, meaning even tech savvy people could potentially fall victim to these phishing attacks, because they are using Google’s own AMP URLs.  Those who check the true domain could fall victim to these attacks.

How Google’s AMP URLs Work

When Google shows pages as AMP in their mobile search results, they are often hosted by Google itself, so the URL is actually hosted by Google.  For example, the popular Google Panda Algo Guide here will show up as this URL when viewed in AMP:

https://www.google.com/amp/www.thesempost.com/understanding-google-panda-definitive-algo-guide-for-seos/amp/?client=safari

Because of it being a Google.com URL, hackers are taking advantage of that and making AMP URLs of their phishing pages.  So when someone quickly checks the link, it will show as coming from Google.com, and for many people, this would show it is a legitimate email from Google and would likely click it, not noticing the /amp/ portion of the URL, or not knowing what that means.

How These Attacks Work With AMP

Motherboard posted an article about fake Gmail alerts, which were sent to journalists in an attempt to hack their Google accounts.  They all used Google AMP URLs to attempt to trick the receivers.  Here is an example of one of them:

I created a test URL using with tinyURL, and on desktop, it did work and sent me through to the correct landing page through both the AMP and the tiny URL pages.  On mobile, I did get an AMP error stating it was an invalid page, but it allowed me to click through to the correct page.

Google Hosting AMP URLs

Many publishers have not been happy about Google using their own google.com URLs for hosting AMP content, although many are not taking advantages of AMP related tools they can use to keep visitors on the site, such as adding related menus, sidebars or related articles.  But if people copy URLs for sharing, they are also sharing those google.com/amp/ URLs, and not the URLs of the actual content.

But this shows that Google.com URLs should not be trusted when it comes to quickly scanning common phishing emails supposedly from Google.  Will Google change this to show these URLs coming from a non-Google.com domain instead?

They could potentially change the URL, but that could impact speed in serving these pages to searchers.  And speed is Google’s main reason for caching and serving AMP from their own domain instead of from a third party or from the site itself.

Don’t Trust Google.com/amp/ URLs

Bottom line, don’t trust a URL coming from Google.com if it is from Google.com/amp/ Even those who actively double check URLs could fall victim to these attacks.

H/T to Cyrus Shepherd, Chris Dyson and Christopher Smith