Security researchers have identified a novel way of using Accelerated Mobile Page (AMP) links in phishing attacks to bypass email security measures and get their attacks into the inboxes of enterprise employees.
By embedding Google AMP URLs in phishing emails, atackers are attempting to bypass security controls in that a companys email scanning technology does not flag messages as malicious or suspicious due to Google’s good reputation.
Once the email is opened by a victim, the AMP URLs trigger a redirection to a malicious phishing site.
What is Google AMP?
Developed by Google and a number of partner organisations, Google AMP is an open-source HTML framework designed to make web content load quickly specifically on mobile devices. Tests have shown that AMP pages load four times faster and use eight times less data than traditional mobile-optimised pages.
An AMP consists of three elements:
- AMP HTML – a subset of HTML tags optimized for AMP pages
- AMP JS – a JavaScript library specifically for AMP pages
- AMP CDN – a Content Delivery Manager responsible for delivering all documents to the AMP page.
When Google’s crawler visits a website to index the site content, if the site has been optimised for AMP, the crawler will find a link to the AMP version of the website.
The crawler will then scan and index the AMP version of the website, saving a static version of it to Google’s servers.
The AMP pages hosted on Google’s servers are simplified and some of the larger media elements, such as images and video are pre-loaded for faster delivery.
The attack
By crafting an AMP URL with Googles’ domain name in it, atackers hope that the victims email security applications don’t block the link, but by appending the AMP URL with a malicious domain, the attackers can truck the victim into opening a fake/malicious site.
e.g.
https://google.com/amp/s/malicious.domain.com/bad_page